2018 Registration document and annual fi nancial report - BNP PARIBAS 429
5RISKS AND CAPITAL ADEQUACY PILLAR 3
5
Operational risk
This new model is now fi nalised in all businesses and operational entities.
Consequently, the operational risk management and control system for the Group as a whole is structured around a two-level system with the following participants:
■ on the fi rst level of defence: operational staff, notably the Heads of operational entities, business lines and functions, who are on the front- line of risk management and implementation of systems to manage these risks;
■ on the second line of defence: specialist deconcentrated teams (domains, divisions, operational entities, business lines, functions and regions) coordinated centrally by the RISK ORC Group team involved in managing the Group s risks.
These teams are, in particular, responsible for:
■ coordinating, throughout the areas within their remit, the defi nition and implementation of the permanent control and operational risk identification and management system, its standards and methodologies, reporting and related tools;
■ acting as a second pair of eyes, independently of the Heads of operational entities, to scrutinise operational risk factors and the functioning of the operational risk and permanent control system, and issuing warnings, where appropriate.
More than fi ve hundred employees on a full-time equivalent basis are responsible for these supervisory activities.
Issues relating to operational risk, permanent operational control and the emergency plan to ensure business continuity in those situations specifi ed in the regulatory standards are regularly submitted to the Group s Executive Committee. The Group s operational entities and subsidiaries implement this governance structure within their organisations, with the participation of Executive Management.
For its part, Compliance is in charge of supervising the compliance and reputation risk control system (see section 5.3).
OBJECTIVES AND PRINCIPLES To meet this dual requirement of the management and control of operational risk, BNP Paribas has developed a permanent iterative risk management process based on the following elements:
■ identifying and assessing operational risks;
■ formalisation, implementing and monitoring the risk mitigation system, including procedures, checks and all organisational elements designed to help to control risk, such as segregation of tasks, management of access rights, etc.;
■ producing measures of known and potential risks and calculating the capital requirement for operational risk;
■ reporting and analysing oversight information relating to operational risk and the permanent control system;
■ managing the system through a governance framework that involves members of management, preparing and monitoring action plans.
This system rests on two major pillars:
■ the identifi cation and assessment of risk and of the control system based on the libraries of risks and controls defi ned by the Group s business lines and functions, and which each entity must take into consideration and enhance, if necessary, for their own underlying and residual risk mapping and for the standardised impact assessment grid applicable across the Group;
■ the risk management system is underpinned by procedures, standards and generic control plans consistent with the above-mentioned risk libraries, and which each entity must apply, unless an exception is authorised, and enhance according to their own characteristics.
SCOPE AND NATURE OF RISK REPORTING AND MEASUREMENT Group Executive Committees, and those of operational entities (business lines, functions and subsidiaries) are tasked with monitoring the management of operational and non-compliance risk and permanent control in the areas falling within their remit, in accordance with the Group s operational risk framework. The committees validate the quality and consistency of reporting data, examine their risk profi le in light of the tolerance levels they have set in keeping with the Group R isk A ppetite S tatement, and assess the quality of risk control procedures according to their objectives and the risks they incur. They monitor the implementation of risk mitigation techniques.
Operational risk management has developed a system of data collection of actual or potential incidents using an approach structured by organisational process and business unit (activities in a country and a single legal entity) focusing on the cause-and-effect chain behind events. This information is used as the basis for risk mitigation and prevention measures.
The most signifi cant information is brought to the attention of staff at various levels of the organisation, up to and including executive managers and supervisory bodies, in line with a predefi ned information reporting process.