BBVA Group’s operational risk management framework includes a governance structure based on three lines of defense, with clear specification of responsibilities: a) policies and procedures that are common to the whole Group; b) systems to identify, measure, monitor, control and mitigate operational risks and losses; and c) tools and methodologies that quantify operational risk in terms of capital.
Operational risk management framework: three lines of defense
Operational risk management in BBVA is designed and coordinated from the Corporate Operational Risk Management (GCRO) unit, belonging to GRM, and from the Operational Risk Management units, located in the Risks departments of the different countries and business areas (Country GRO). The support areas, in turn, have operational risk managers (Business GRO) who report to the units of Country GRO and are responsible for implementing the model in the areas on a daily basis. This gives the Group a view of risks at the process level, where risks are identified and prioritized and mitigation decisions are made. Following a bottom-up approach, this system provides an overall view at each level.
Operational risk management framework: organizational structure
Each business and support unit has one or more GRO committees that meet on a quarterly basis. These committees analyze operational risks and take the appropriate mitigation decisions. Above these GRO committees is the Corporate Assurance Operating Committee (COCA), while at holding level the Global Corporate Assurance Committee (CGCA) undertakes a general monitoring of the Group’s main operational risks. The Board of Directors is responsible for setting the risk control and management policy and for periodically monitoring the internal reporting and control systems.
BBVA has worked in 2013 to improve the operational risk management model along two lines:
- Incorporating specialist control units to obtain a more independent and expert overview and to unify governance of the Group’s control functions.
- Bolstering the operational risk scenarios with a scenario database that can be updated each year. Exhaustive quantification reports are built for them under different environments, with the help of independent experts and specialists.
Operational risk management in the Group is based on the value-adding drivers generated by the advanced measurement approach (AMA), as follows:
1. Active management of operational risk and its integration into day-to-day decision-making means:
- Knowledge of the real losses associated with this risk (SIRO, or Integrated Operational Risk System).
- Identification, prioritization and management of real and potential risks.
- The existence of indicators that enable the Bank to analyze operational risk over time, define warning signals and verify the effectiveness of the controls associated with each risk.
The above helps create a proactive model for making decisions about control and business, and for prioritizing the efforts to mitigate relevant risks in order to reduce the Group’s exposure to extreme events.
2. Improved control environment and strengthened corporate culture.
3. Generation of a positive reputational impact.
