2018 Registration document and annual fi nancial report - BNP PARIBAS428
5 RISKS AND CAPITAL ADEQUACY PILLAR 3
5
Operational risk
5.9 Operational risk
Operational risk is the risk of incurring a loss due to inadequate or failed internal processes, or due to external events, whether deliberate, accidental or natural occurrences. Management of operational risk is based on an analysis of the cause event effect chain.
Internal processes giving rise to operational risk may involve employees and/or IT systems. External events include, but are not limited to floods, fire, earthquakes and terrorist attacks. Credit or
market events such as default or fluctuations in value do not fall within the scope of operational risk.
Operational risk encompasses fraud, human resources risks, legal risks, non-compliance risks, tax risks, information system risks, conduct risks (risks related to the provision of inappropriate financial services), risk related to failures in operating processes, including loan procedures or model risks, as well as any potential financial implications resulting from the management of reputation risk.
REGULATORY FRAMEWORK
Operational and compliance risks come under a specifi c regulatory framework:
■ Directive 36/2013/UE (CRD 4) and Regulation (EU) No. 575/2013 (CRR) governing prudential supervision and the methods for calculating the amount of capital requirements to cover the operational risk;
■ French Ministry of Finance Decree of 3 November 2014, which defi nes the roles and responsibilities of the RISK Function (covering all types of risks) and an internal control system which ensures the effi ciency and quality of the Bank s internal operations, the reliability of internal and external information, the security of transactions, as well as compliance with applicable laws, regulations and internal policies.
Banking regulation divides operational loss events into seven categories: (i) internal fraud, (ii) external fraud, (iii) employment practices and
workplace safety (such as an anomaly arising from recruitment management), (iv) clients, products and business practices (such as product defects, mis-selling, professional misconduct, etc.), (v) damage to physical assets, (vi) business disruption and system failures, (vii) execution, delivery and process management (data entry error, error in documentation, etc.).
Effective management of compliance risk aims to ensure compliance with applicable laws, regulations, rules of ethics and instructions, protect the Group s reputation, that of its investors and that of its customers, ensure ethical professional behaviour, prevent conflicts of interest, protect customers interests and market integrity, fi ght against money laundering, corruption and the fi nancing of terrorist activities, as well as ensure compliance with fi nancial embargos.
ORGANISATION AND OVERSIGHT MECHANISM [Audited]
KEY PLAYERS AND GOVERNANCE The general internal control system at BNP Paribas underpins management of operational, compliance and reputation risks as part of its dual-level system to ensure periodic and permanent control.
Compliance, LEGAL , RISK and General Inspection form the Group s four supervision and control functions, with direct reporting of all their teams worldwide, guaranteeing their independence and resource autonomy.
The governance of the Group s internal control system is described in the section Internal control in chapter 2 Internal Control and Corporate Governance.
A second-level control function is tasked with defi ning and supervising the operational risk management system. In 2016 RISK introduced a major project in order to identify the main changes required to the operational risk management system in the Group, to improve and optimise it by clarifying the responsibilities between the fi rst and second lines of defence in the Group as well as the coordination between the various control functions. Accordingly, the Operational Risk and Control (RISK ORC) teams are now the second line of defence within RISK. In addition, a dedicated team (RISK ORC Information and Communication Technology), reporting to the Head of RISK, is now in charge of the second line of defence on technology risks and data protection (cyber security).