1.4. General risk control and management model

BBVA Group has a General Risk Control and Management Model (hereinafter, "the Model") adapted to its business model, organization and the geographical areas in which it operates. It allows it to operate within the framework of the control and risk management strategy defined by the Bank's company bodies and adapt to an economic and regulatory environment, addressing management globally and adapted to the circumstances at any particular time. The Model establishes a system of risk management that is adapted to the entity's risk profile and strategy.

This Model is applied comprehensively in the Group and is made up of the basic elements set out below:

• Governance and organization
• Risk Appetite
• Decisions and processes
• Evaluation, monitoring and reporting
• Infrastructure

The Group promotes the development of a risk culture that ensures the consistent application of the risk control and management Model within the Group and collaterals that the risk function is understood and permeates throughout all the levels of the organization.

1.4.1. Governance and organization

The risk governance model in BBVA is characterized by the strong involvement of its corporate bodies, both in establishing the risk strategy and in the continuous monitoring and supervising of its implementation.

Thus, as explained below, it is the corporate bodies that approve the risk strategy and the corporate policies for the different types of risks. The risk function is responsible within the scope of its management for implementing and developing the risk strategy, being answerable for it to the corporate bodies.

The responsibility for the day-to-day management of risks corresponds to the businesses, which engage in their business following the policies, rules, procedures, infrastructures and controls that are based on the framework set by the company bodies and defined by the risk function.

To carry out this work adequately, the risk function in the BBVA Group has been set up as a single, global function that is independent of the commercial areas.

1.4.1.1. Corporate governance layout

The BBVA Group has developed a system of corporate governance that is in line with the best international practices and adapted it to the requirements of the regulators in the country in which its different units operate.

The Board of Directors (hereinafter "the Board) approves the risk strategy and supervises the internal control and management systems. Specifically, the strategy approved by the Board includes at least the statement of the Group's Risk Appetite, the fundamental metrics and the basic structure of limits by geographical areas, risk types and asset classes, as well as the bases of the risk control and management Model. The Board also ensures that the budget is aligned with the approved Risk Appetite.

On the basis established by the Board of Directors, the Executive Committee approves the specific corporate policies for each type of risk. In addition, this committee approves the Group's risk limits and monitors them. It is informed both of the overruns of the limits and of any appropriate corrective measures that have been taken.

Finally, the Board of Directors has created a specialized committee for risks, the Risks Committee (RC). This committee analyzes and monitors risk periodically in the area of the attributions of the corporate bodies, and assists the Board of Directors and the Executive Committee in determining and monitoring the risk strategy and corporate policy strategy, respectively. Among its most important work is detailed control and monitoring of the risks affecting the Group overall, which allows it to ensure that the risk strategy is effectively integrated into management and the corporate policies approved by the corporate bodies are applied.

The head of the risk function in the executive line, the Corporate Risk Officer (CRO) carries out his work with the independence, authority, rank and resources required. He is appointed by the Bank's Board of Directors, as a member of its senior management, and has direct access to its corporate bodies (the Board of Directors, the Executive Committee and the Risks Committee), to which he reports regularly on the risk situation in the Group.

To perform his functions better, the CRO is supported by a structure made up of cross-cutting risk units in the corporate area and specific risk units in the Group's geographical and/or business areas. Each of these units has its own Risk Manager in charge of the geographical and/or business areas, who within the scope of his competence, carries out the functions of risk management and control and is responsible for applying the corporate policies and rules approved at Group level consistently, while adapting them if necessary to local requirements and reporting these matters to the local corporate bodies.

The Risk Managers of the geographical and/or business areas answer to both the CRO and the head of the geographical and/or business area. This system of co-dependence aims to ensure the interdependence of the local risk function from the operational functions, and allows them to be aligned with the Group's corporate policies and objectives with respect to risks.

Finally, the Group's policy on the selection of directors is contained in the selection procedure described in the Annual Corporate Governance Report. This procedure takes into account aspects such as diversity on the Board. The Appointments Committee is responsible for presenting to the Board the policy relating to diversity and the gender representation targets on the Board at all levels.

1.4.1.2. Organizational and committee structure

As mentioned above, the risk function is composed of the corporate area risk units, which carry out cross-cutting functions, and the risk units of the geographical and/or business areas.

• The corporate area risk units develop and submit to the Corporate Risk Officer (CRO) the proposal for the Group's Risk Appetite, the corporate policies, rules, procedures and global infrastructures within the framework of action approved by the corporate bodies; they ensure their correct application and report directly or through the CRO to the Bank's corporate bodies. Among their functions are:
  • Management of the different types of risks at Group level, in accordance with the strategy defined by the corporate bodies.
  • Planning of risks in line with the Risk Appetite principles.
  • Monitoring and control of the Group's risk profile in relation to the Risk Appetite approved by the Bank's corporate bodies, providing precise and reliable information with the frequency and in the format required.
  • Carrying out prospective analyses that can evaluate compliance with the Risk Appetite in stress scenarios and analyze the mechanisms for mitigating the effect.
  • Management of the technological and methodological developments required for development of the Model in the Group.
  • Articulating Group's Internal Risk Control model and defining the methodology, corporate criteria and procedures to identify and prioritize the risk inherent to each unit's activities and processes.
  • Validation of the models used and the results obtained by them to verify whether they are appropriate to the different uses to which they are applied.
• The risks units in the business areas develop and submit to the Risk Manager of the geographical and/or business area the proposed Risk Appetite applicable in each geographical and/or business area, with autonomy and always within the Group's Risk Appetite. At the same time, they ensure that the approved corporate policies and rules are applied consistently at Group level, adapting them where appropriate to local requirements; they are provided with the adequate infrastructures for the control and management of their risks and report, where appropriate, to the corporate bodies and senior management.

Thus the local risk units work with the corporate risk units with the aim of adapting to the risk strategy at Group level and pooling all the information necessary to monitor changes in risks.

The risk function's decision-making process is based on a committee structure. The global steering committee of the risk area is the main committee in the risk function. It proposes, checks, and approves, where appropriate, items such as the internal regulatory framework for risks, the procedures and infrastructures needed to identify, evaluate, measure and manage the risks faced by the Group in carrying out its business, and the admission of the operations with the most relevant risks. The members of this Committee are the CRO and the heads of the risk units of the corporate area and the most representative geographical and/or business areas.

The Global Risk Management Committee (GRMC) operates through various support committees, including the following:

• Global Technical Operations Committee: Its aim is to take decisions related to wholesale credit risk admission from certain customer segments.
• Monitoring, Assessment & Reporting Committee: Collaterals the existence and proper development of the aspects relating to the identification, evaluation, monitoring and reporting of risks, with a comprehensive and transversal approach.
• Asset Allocation Committee: An executive body for analysis and decision-making on all those issues related to credit risks that are linked to the processes designed to obtain a balance between risk and profitability in accordance with the Group's Risk Appetite.
• Technology and Methodologies Committee: Its aim is to determine the need for new models and infrastructures and to channel decision-making related to the tools required to manage all the risks to which the Group is exposed.
• Corporate Technological Risks and Operational Control Committee: The aim is to approve the Technological Risk Management and Operational Control Frameworks, in accordance with the General Risk Model, and monitor the metrics, risk profiles and operational loss events.
• Global Market Risk Unit Committee: The aim is to formalize, supervise and communicate the monitoring of trading risk in all the Global Markets business units.
• Corporate Operational Risk Admission and Outsourcing Committee: Identification and evaluation of the operational risks of new businesses, new products and services and outsourcing initiatives.

Each geographical and/or business area has its own risk management committee (or committees), with objectives and content similar to those of the corporate area, which develop their functions consistently and in line with the corporate policies and regulations on risks.

Within this organizational scheme, the risk function ensures the integration and application across the whole Group of a consistent risk strategy, regulatory framework, infrastructures and risk controls, while benefiting from customer insight and the proximity of each geographical and/or business area and transmitting the corporate culture on this matter to the Group's different organizational levels.

1.4.1.3. Internal Risk Control and Internal Validation

The Group has a specific Internal Risk Control unit. Its main function is to ensure there is a sufficient internal regulatory framework, a process and measures defined for each type of risk identified in the Group (and for those other types of risk for which the Group may be potentially affected). It controls their application and operation, as well as ensuring the integration of the risk strategy into the Group's management. The Internal Risk Control unit is independent of the units that develop the risk models, manage processes and execute controls. Its scope of action is global, from the geographical point of view and the type of risks.

The Group's Internal Risk Control Director is responsible for the function; he reports its activities and informs the CRO and the Board's Risks Committee of its work plans, as well as assisting the Board on such matters as it requires.

For these purposes the Risks area also has a Technical Secretary's Office, which is also independent of the units that develop the risk models, manage the processes and execute the controls. The Technical Secretary's Office offers the Committee the technical support it needs to perform its duties better.

The unit has a structure of teams at both corporate level and in the most relevant geographical areas in which the Group operates. As in the case of the Corporate Area, local units are independent of the business areas that execute the processes, and of the units that execute the controls, and report functionally to the Internal Risk Control unit. This unit's lines of action are established at Group level, and it is responsible for adapting and executing them locally, as well as for reporting the most relevant aspects.

In addition, the Group has an Internal Validation unit, which is also independent of the units that develop the risk models and of those that use them in management. Its functions include revision and independent validation at internal level of the models used for the control and management of risks in the Group.

The BBVA Group’s internal control system is based on the best practices developed in “Enterprise Risk Management – Integrated Framework” by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as well as in the “Framework for Internal Control Systems in Banking Organizations” by the Bank for International Settlements (BIS).

The control model has a system with three lines of defense:

• The first line is made up of the Group's business units, which are responsible for control within their area and for executing any measures established by higher management levels.
• The second line consists of the specialized control units (Legal Compliance, Global Accounting & Informational Management/Internal Financial Control, Internal Risk Control, IT Risk, Fraud & Security, Operations Control and the Production Divisions of the support units, such as Human Resources, Legal Services, etc.). This line supervises the control of the various units within their cross-cutting field of expertise, defines the necessary improvement and mitigating measures, and promotes their proper implementation. The Corporate Operational Risk Management unit also forms part of this line, providing a methodology and common management tools.
• The third line is the Internal Audit unit, which conducts an independent review of the model, verifying the effectiveness and compliance with corporate policies and providing independent information on the control model.

1.4.2. Risk Appetite

The Group's Risk Appetite as approved by the Board of Directors determines the risks and their level that the Group is prepared to assume to achieve its business objectives. These risks are expressed in terms of capital, liquidity, profitability, recurring revenue, cost of risk and other metrics. The determination of Risk Appetite has the following objectives:

• Make explicit the Group's strategy and the maximum levels of risk that the Group is prepared to assume, both at Group level and at geographical and/or business level.
• Establish guidelines for action and a management framework for the medium-long term that prevents actions (both at Group and geographical and/or business level) that may compromise the Group's future viability.
• Establish a framework for relating with the geographical and/or business areas, that preserves their decision-making autonomy while ensuring their consistent performance and preventing divergent behavior.
• Establish a common language across the whole organization and develop a risk culture geared toward compliance with it.
• Alignment with the new regulatory requirements, making communication with regulators, investors and other stakeholders easier, thanks to an integrated and stable risk management framework.

Risk Appetite is manifested through the following elements:

• The Risk Appetite Statement: It includes the general principles of the Group's risk strategy and the target risk profile.
• BBVA's risk policy is aimed at maintaining the risk profile made explicit in the Group's Risk Appetite Statement, which is manifested in a series of metrics that approximate it (Fundamental Metrics and Limits).
• Fundamental Metrics: They set out in quantitative terms the principles and target risk profile included in the Risk Appetite statement.
• Limits: They provide a structure for the Risk Appetite at the level of the geographical and/or business areas, legal entities, risk types, or any others that are considered appropriate, allowing them to be integrated into management.

The corporate risks area works with the different geographical and/or business areas to define their Risk Appetite so that it is coordinated across the group and to ensure that the profile is in line with the definition.

The BBVA Group assumes a certain level of risk in order to provide financial services and products for its customers and obtain attractive levels of return for shareholders. The organization has to understand, manage and control the risks it assumes.

The aim of the organization is not to eliminate all risks, but to assume a prudent level of risks that allows it to generate returns while maintaining acceptable capital and fund levels and generating recurrent earnings.

BBVA's Risk Appetite expresses the levels and types of risk that the Bank is prepared to assume to carry out its strategic plan without significant deviations, even in situations of tension. The Risk Appetite is integrated into management and determines the basic lines of the Group's activity, as it establishes the framework within which the budgeting process is developed.

CHART 2: Risk Appetite

1.4.2.1. Basic Metrics

These are the metrics that characterize the entity's objective behavior (defined in the statement), allowing an expression of the risk culture at all levels in a systematic and comprehensible way. They synthesize the entity's objectives and so they are useful for communicating with the stakeholders.

The basic metrics are strategic, propagated across the whole Group, comprehensible and easy to calculate, objectifiable at the business/geographical area level and subject to future projections.

1.4.2.2. Limits

Metrics that determine the strategic positioning of the entity for the different types of risk: structural (Asset & Liability Management, ALM), liquidity, markets, operations, etc. The following aspects differentiate it from the Basic Metrics:

1. They are levers for achieving the result: They are a management tool that responds to a strategic positioning and that must be aimed at allowing compliance with the Fundamental Metrics, even under adverse scenarios.

2. Risk metrics: A greater level of specialization. They do not necessarily have to be used across the whole Group.

3. Independent of the cycle: May include metrics with a limited correlation with the economic cycle, allowing comparability that is isolated from the specific macroeconomic situation.

They are therefore levers for remaining within the thresholds defined in the fundamental metrics and used to manage day-to-day risk. They include tolerance limits, sublimits and alerts established at the business/geographical, portfolio, product, etc. level.

In 2014 the Risk Appetite metrics changed in line with the established profile.

1.4.3. Decisions and processes

The transfer of Risk Appetite to ordinary management is supported by three basic aspects:

• A standard body of regulations
• Risk planning
• Integrated risk management throughout their life cycle

1.4.3.1. A uniform body of regulations

The corporate GRM area is responsible for defining and developing corporate policies, specific regulations, procedures and schemes for delegation according to which the risk decisions have to be adopted within the Group

The process of creation, standardization and integration into management of corporate rules and regulations is called regulatory standardization.

This process aims for the following objectives:

• Hierarchy and structure: Information that is well structured through a clear and simple hierarchy that allows dependent documents to be related to each other.
• Simplicity: An adequate and sufficient number of documents.
• Uniformity: Uniform number and content of documents.
• Accessibility: Easy search and access to documentation through the Corporate Risk Management Library.

The approval of corporate policies for all kinds of risks corresponds to the Bank's corporate bodies, while the corporate risk area approves the rest of the regulations.

The risk units of the geographical and/or business areas comply with this body of regulations and, where necessary, adapt it to local requirements, in order to have a decision-making process that is appropriate to the local level and in line with the Group's policies. If such adaptation is necessary, the local risks area must inform the corporate GRM area, which has to ensure consistency in the body of regulations at Group level. Where appropriate, it must thus give its prior approval to the modifications proposed by the local risk areas.

1.4.3.2. Risk planning

Risk planning ensures integration in Risk Appetite management through a cascade process of establishing limits, where the function of corporate area and geographical and/or business area risk units is to collateral this process is aligned with the Group's Risk Appetite.

It has the tools available to align and monitor the Risk Appetite defined at aggregate level by: business areas, legal entities, types of risk, concentrations and any other level that may be considered necessary.

The process of risk planning is present within the rest of the Group's planning framework to ensure the coherence of all the other processes.

1.4.3.3. Day-to-day risk management

All risks must be managed in an integrated fashion during their life cycle, based on differentiated treatment according to their type.

The risk management cycle is made up of 5 elements:

• Planning: Its aim is to ensure the Group's activities are consistent with the objective risk profile and to collateral solvency in carrying out the strategy.
• Evaluation: A process focused on identifying all the risks inherent in the activities carried out by the Group.
• Formalization: Includes the phases of origination, approval and formalization of the risk.
• Monitoring and Reporting: Continuous and structured risk monitoring, and preparation of reports for internal and/or external consumption (market, investors, etc.).
• Active portfolio management: Focused on identifying business opportunities, in both existing portfolios and in new markets, businesses or products.

1.4.4. Evaluation, monitoring and reporting

Evaluation, monitoring and reporting is a cross-cutting element that has to ensure that the Model has a dynamic and anticipatory vision, making possible compliance with the Risk Appetite approved by the corporate bodies, even under unfavorable scenarios. This process covers all the material risk categories and has the following objectives:

• Evaluate compliance of the Risk Appetite at the present time, through monitoring of the fundamental metrics and limits.
• Evaluate compliance of the Risk Appetite in the future through projection of the Risk Appetite variables, both in a baseline scenario determined by the budget, and in a specific risk scenario determined by stress tests.
• Identify and value the risk factors and scenarios that may compromise compliance of the Risk Appetite through the development of a repository of risks and an analysis of their impact.
• Act to mitigate the impact on the Group of the risk factors and scenarios identified, ensuring the risk remains within the target risk profile.
• Monitor the key variables that directly do not form part of Risk Appetite, but that condition its compliance. These may be both external and internal.

The following phases have to be developed to carry out this process:

• Identification of the risk factors, which has the aim of generating a map with the most relevant risk factors that could compromise the Group's performance with respect to the thresholds defined in the Risk Appetite.
• Evaluation of the impact: Consists of evaluating what impact the materialization of one or more risk factors identified in the previous phase could have on the Risk Appetite metrics, if a given scenario occurs.
• Response to undesirable situations and proposed measures for adjusting the situation: The overruns of the thresholds will be associated with an analysis of the measures for adjustments at the corresponding level that allow a dynamic management of the situation, even before it takes place.
• Monitoring: Aims to avoid ex ante losses through supervision of the Group's current risk profile and the risk factors identified.
• Reporting: Aims to give information on the risk profile assumed, offering precise, complete and reliable data to the corporate bodies and senior management with the frequency and detail required by the nature, importance and complexity of the risks.

1.4.5. Infrastructure

Infrastructure constitutes the element that must ensure that the Group has the human and technological resources required for effective management and supervision of risks, performance of the functions included in the Group's risk Model, and achievement of its objectives.

With respect to human resources, the Group's risk function must have an adequate workforce in terms of number, skills and experience.

With respect to technology, the Group ensures the integrity of the management information systems and the provision of the infrastructure required to support risk management, including the tools appropriate to the needs derived from the different types of risks in their admission, management, valuation and monitoring.

The principles according to which the Group's risk technology is governed are:

• Uniformity: The criteria are consistent across the whole Group, ensuring the same risk treatment at each geographical and/or business level.
• Integration in the management: The tools incorporate the corporate risk policies and are applied to the Group's day-to-day management.
• Automation of the main processes that compose the risk management cycle.
• Adequacy: Adequate supply of information at the appropriate time.

Through the Risk Analytics function, the Group has a corporate framework that develops measurement techniques and models, covering all the types of risk and the different purposes, and involves a uniform language for all the activities and geographical/business areas.

The execution is decentralized, allowing the Group's global scope to be used to the full. The idea is to develop the existing risk models continuously and generate others that cover the new range of businesses that are being deployed, with the aim of strengthening anticipation and proactiveness that characterize the risk function in the Group.

Equally, the risk units of the geographical and/or business areas must ensure they have sufficient means from the point of view of resources, structures and tools to develop risk management in accordance with the corporate model.

1.4.6. Risk culture

BBVA considers risk culture as an essential element for the consolidation and integration of the other components of the Model. The culture transfers to all the levels of the organization the implications involved in the Group's activities and businesses from the perspective of risk. The risk culture is based on a number of levers, including:

• Communication: Promotes the spread of the Model, and particularly the principles that should govern risk management in the Group consistently and comprehensively across the organization, through the most appropriate channels.

GRM has a variety of channels for communication that facilitate the transfer of information and knowledge between the different teams in the function and the Group, adapting the frequency, formats and recipients according to the objective set, making it easier to establish the basic principles of the risk function. Thus the culture of risks and the prudent management model begin with the corporate bodies and the Group's management and are transmitted across the whole organization.

• Training: The main aim is to spread and consolidate the prudent risk management model across the organization, ensuring standards in skills and knowledge in those involved in the risk management processes.

A well-defined and implemented system of training ensures the continuous improvement of the skills and knowledge of the Group's professionals, and in particular those in the GRM area. It is organized into four vectors that aim to develop each of the requirements of the GRM group by providing in-depth knowledge and skills in various subjects, such as: finance and risks, tools and technology, management and expertise, and languages.

• Motivation: An area where the aim is for the incentives of the teams in the risk function to support the risk management strategy, values and culture of the function at all levels. It includes remuneration, and all the other elements associated with motivation, such as the working environment, etc. that contribute to achieving the Model's objectives.