Risk management

General risk management and control model

The BBVA Group has a general risk management and control model (hereinafter, the “Model”) that is appropriate for its business model, its organization, the countries where it operates and its corporate governance system. This model allows the Group to carry out its activity within the risk management and control strategy and policy defined by the corporate bodies of BBVA and to adapt itself to a changing economic and regulatory environment, facing this management at a global level and aligned to the circumstances at all times.

This model, which is fully applied in the Group, comprises the following basic elements:

• Governance and Organization
• Risk Appetite Framework
• Assessment, Monitoring and Reporting
• Infrastructure.

The Group promotes the development of a risk culture that ensures a consistent application of the Model in the Group, and that guarantees that the risks function is understood and internalized at all levels of the organization.

Governance and Organization

The risk governance model in the BBVA Group is characterized by a special involvement of its corporate bodies, both in setting the risk strategy and in monitoring and supervising its implementation on an ongoing basis.

Thus, and as explained below, the corporate bodies are responsible for approving the risk strategy and the corporate policies for the different types of risks. Global Risk Management (GRM) and Regulation and Internal Control (including, among other areas, Non-Financial Risks) are the functions responsible for its implementation and development, with the appropriate reporting to corporate bodies.

Responsibility for day-to-day management of risks falls on business and corporate areas, the activities of which adhere to the policies, regulation, infrastructures and controls that, based on the framework set by corporate bodies, are defined by Global Risk Management and Regulation & Internal Control in their corresponding areas of responsibility.

To carry out this work adequately, the financial risks function in the BBVA Group (GRM) has been set up as a single, global function independent from commercial areas.

The head of the risks function at an executive level, the Group’s Chief Risk Officer (or CRO), is appointed by the Board of Directors as a member of its senior management, and reports directly on the development of the corresponding functions to the corporate bodies. The Chief Risk Officer, for the best fulfillment of the functions, is supported by a structure consisting of cross-cutting risk units in the corporate area and specific risk units in the Group's geographical and/or business areas.

In addition, and with regard to internal control and non-financial risks, the Group has a Regulation & Internal Control area independent from the rest of units and whose head (Head of Regulation & Internal Control) is also appointed by the Board of Directors of BBVA and reports directly to corporate bodies on the performance of its functions. This area is responsible for proposing and implementing non-financial risks policies and the Internal Control Model of the Group and it is composed by, among other, the Non-Financial Risks, Regulatory Compliance and Risk Internal Control units.

The Risk Internal Control unit, within the Regulation & Internal Control area and, therefore, independent from the financial risks function (GRM), acts as a control unit for the activities carried out by GRM. In this regard, and without prejudice to the functions performed in this regard by the Internal Audit area, Risk Internal Control checks that the regulatory framework and established measures are sufficient and appropriate for each type of financial risk. It also monitors its implementation and operation, and confirms that those decisions taken by GRM are taken independently from the business lines and, in particular, that there’s an adequate segregation of functions between units.

Governance and organizational structure are basic pillars for ensuring an effective risk management and control. This section summarizes the roles and responsibilities of the corporate bodies in the risks area, of the Group's Chief Risk Officer and, in general, of the risks function, its interrelation and the group of committees, in addition to the Risk Internal Control unit.

Corporate Bodies of BBVA

According to the corporate governance system of BBVA, the Board of Directors of the Bank has certain reserved powers concerning management, through the implementation of the corresponding most relevant decisions, and concerning supervision and control, through the monitoring and supervision of implemented decisions and management of the Bank.

In addition, and to ensure an adequate performance of the management and supervisory functions of the Board of Directors, the corporate governance system comprises different committees supporting the Board of Directors with regard to matters falling within their competence, and according to the specific charters of each committees. For this purpose, a coordinated work scheme between these corporate bodies has been established.

In terms of risks, the Board of Directors has reserved those powers referred to determining the risk control and management policy and the supervision and control of its implementation.

In addition, and for an adequate performance of its duties, the Board of Directors is assisted by the Risk and Compliance Committee (“CRC”), on the issues detailed below, and by the Executive Committee (“CDP”), which is focused on the strategy, finance and business functions of the Group, for the purposes of which it monitors the risks of the Group.

The involvement of the corporate bodies of BBVA in the control and management of the risks of the Group is detailed below:

• Board of Directors
• The Board of Directors is responsible for establishing the risk strategy of the Group and, in this role, it determines the risks management and control policy, through the following documents:
• Risk Appetite Framework of the Group, which includes in the one hand the risk appetite statement of the Group, that is, the general principles governing the risk strategy of the Group and its target profile; and, on the other hand, and based on the above mentioned risk appetite statement, a set of quantitative metrics (core metrics, and their corresponding statements, and by type of risk metrics), reflecting the risk profile of the Group;
• The framework of management policies of the different types of risk to which the Bank is, or could be, exposed. They contain the basic lines for a consistent management and control of risks throughout the Group, and consistent with the Risk Appetite Framework and the Model; and
• The model.
• All of the above in coordination with the rest of prospective-strategic decisions of the Bank, which includes the Strategic Plan, the Annual Budget and the capital and liquidity planning, in addition to the rest of management objectives, whose approval is a responsibility of the Board of Directors.
• In addition to defining the risk strategy, the Board of Directors, in the performance of its risks monitoring, management and control tasks, also monitors the evolution of the risks of the Group and of each main business and/or geographical area, ensuring compliance with the Risk Appetite Framework of the Group; and also supervising internal information and control systems.
• For the development of all these functions, the Board of Directors is supported by the CRC and the CDP, which are responsible for the functions detailed below.
• Risk and Compliance Committee
• The CRC is, according to its own charter, composed of non-executive directors and its main purpose is to assist the Board of Directors on the establishment and monitoring of the risk control and management policy of the Group.
• For this purpose, it assists the Board of Directors in a variety of risk control and monitoring areas, in addition to its analysis functions, based on the strategic pillars established by the Board of Directors and the CDP, the proposals on the risk management, control and strategy of the Group, which are particularly specified in the Risk Appetite Framework and in this Model. After the analysis, the Risk Appetite Framework and Model proposal is submitted to the Board of Directors for consideration and, where appropriate, approval purposes.
• In addition, the CRC proposes, in a manner consistent with the Risk Appetite Framework of the Group approved by the Board of Directors, the management and control policies of the different risks of the Group, and supervises the internal control and information systems.
• With regard to the monitoring of the evolution of the risks of the Group and their degree of compliance with the Risk Appetite Framework and defined policies, and without prejudice to the monitoring task carried out by the Board of Directors and the CDP, the CRC carries out monitoring and control tasks with greater frequency and receives information with a sufficient granularity to achieve an adequate performance of its duties.
• The CRC also analyzes all measures planned to mitigate the impact of all identified risks, should they materialize, which must be implemented by the CDP or the Board of Directors, as the case may be.
• The CRC also monitors the procedures, tools and measurement indicators of those risks established at a Group level in order to have a comprehensive view of the risks of BBVA and its Group, and monitors compliance with the regulation and supervisory requirements in terms of risks.
• The CRC is also responsible for analyzing those project-related risks that are considered strategic for the Group or corporate transactions that are going to be submitted to the Board of Directors of the CDP, within its scope of competence.
• In addition, it contributes to the setting of the remuneration policy, checking that it is compatible with an appropriate and efficient management of risks and that it does not provide incentives to take risks breaching the level tolerated by the Bank.
• In 2019, the CRC has held 21 meetings.
• Lastly, the CRC ensures the promotion of the risk culture in the Group.
• Executive Committee (CDP)
• In order to have a complete and comprehensive view of the progress of the businesses of the Group and its business units, the CDP monitors the evolution of the risk profile and the core metrics defined by the Board of Directors, being aware of any potential deviation or breach of the metrics of the Risk Appetite Framework and implementing, when applicable, the appropriate measures, as explained in this Model.
• In addition, the CDP is responsible for proposing the basis for developing the Risk Appetite Framework, which will be established in coordination with the rest of prospective/strategic decisions of the Bank (e.g., the Strategic Plan, the Annual Budget and the capital and liquidity planning), in addition to the rest of management objectives.
• Lastly, the CDP is the committee supporting the Board of Directors in decisions related to business risk and reputational risk, according to the dispositions set out in its own charter.

Chief Risk Officer of the Group

The Group’s Chief Risk Officer (CRO) is responsible for the management of all the financial risks of the Group with the necessary independence, authority, rank, experience, knowledge and resources. The CRO is appointed by the Board of Directors of BBVA and has direct access to its corporate bodies (Board of Directors, CDP and CRC), with the corresponding regular reporting on the risk situation in the Group.

The GRM area has a responsibility as the unit transversal to all the businesses of the BBVA Group. This responsibility is part of the structure of the BBVA Group, which is formed by subsidiaries based in different jurisdictions, which have autonomy and must comply with their local regulation, but always according to the risk management and control scheme designed by BBVA as the parent company of the BBVA Group.

The Chief Risk Officer of the BBVA Group is responsible for ensuring that those risks of the BBVA Group within the scope are managed according to the established model, assuming, among other, the following responsibilities:

• Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the risk strategy of the BBVA Group, which includes the Risk Appetite statement of the BBVA Group, core (and their respective statements) and by type of risk metrics, and the Model.
• Define, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the corporate policies for each type of risk within its scope of responsibility and, as part these, to establish the required specific regulation.
• Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose for approval, or approving if within its competence, the risk limits for the geographies, business areas and/or legal entities, which shall be consistent with the defined Risk Appetite Framework; it is also responsible for the monitoring, supervision and control of risk limits within its scope of responsibility.
• Submit to the Risk and Compliance Committee the information required to carry out its supervisory and control functions.
• Regular reporting to the corresponding corporate bodies on the situation of those risks of the BBVA Group within its scope of responsibility.
• Identify and assess the material risks faced by the BBVA Group within its scope of responsibility, with an effective management of those risks and, where necessary, with the implementation of the required mitigation measures.
• Early warning to the relevant corporate bodies and the Chief Executive Officer of any material risk within its scope of responsibility that could compromise the solvency of the BBVA Group.
• Ensure, within its scope of responsibility, the integrity of measurement techniques and management information systems and, in general, the provision of models, tools, systems and resources to implement the risk strategy defined by the corporate bodies.
• Promote the risk culture of the BBVA Group to ensure the consistency of the Model in the different countries where it operates, strengthening the cross-cutting model of the risks function.

For decision-making purposes, the Chief Risk Officer of the Group has a governance structure for the function that culminates in a support forum, the Global Risk Management Committee (GRMC). This committee is the main executive committee for those risks within its competence, and its main purpose is the development of the strategies, policies, regulation and infrastructure required for identifying, assessing, measuring and managing those material risks within its scope of responsibility faced by the Group. This committee is composed by the Chief Risk Officer, who chairs the meetings, and the heads of the GRM corporate disciplines of the Risk Management Group, the four most relevant geographical risk areas, CIB, South America and Risk Internal Control. The purpose of the GRMC is to propose and challenge, among other issues, the internal risk regulatory framework and the infrastructures required to identify, assess, measure and manage the risks faced by the Group in carrying out its businesses and to approve risk limits by portfolio.

The GRMC carries out its functions assisted by various support committees which include:

• Global Credit Risk Management Committee: It is responsible for analyzing and decision-making related to wholesale credit risk admission.
• Wholesale Credit Risk Management Committee: its purpose is the analysis and decision-making regarding the admission of wholesale credit risk of certain customer segments of the BBVA Group.
• Work Out Committee: its purpose is to be informed about decisions taken under the delegation framework regarding risk proposals concerning clients on Watch List and clients classified as NPL of certain customer segments of the BBVA Group, as well the sanction of proposals regarding entries, exits and changes of Watch List, entries and exits in non-performing unlikely to pay and turns to written off.
• Asset Allocation Committee: The executive authority responsible for analyzing and deciding on credit risk issues related to processes aimed at achieving a portfolios combination and composition that, under the restrictions imposed by the Risk Appetite framework, allows to maximize the risk adjusted return on equity.
• Risk Models Management Committee: It ensures an appropriate decision-making process regarding the planning, development, implementation, use, validation and monitoring of the models required to achieve an appropriate management of the Model Risk in the BBVA Group.
• Global Markets Risk Unit Global Committee: It is responsible for formalizing, supervising and communicating the monitoring of trading desk risk in all the Global Markets business units, as well as coordinating and approving GMRU key decisions activity, and developing and proposing to GRMC the corporate regulation of the unit.
• Operational Risk and Product Governance Corporate Admission Committee: It is responsible for performing the adequate evaluation of initiatives with a significant operational risk (new business, products, outsourcing, process transformation, new systems….) under the perspective of operational risk and the approval of the budget control area.
• It identifies, analyzes and assesses the operational risks associated initiatives related with new business, products or services, outsourcing, process transformation and new systems, prior to its launch. As well, it will verify that Product Governance normative requirements are met and will decide about the insurance scheme (global policies).
• Retail Credit Risk Committee: It ensures for the analysis, discussion and decision support on all issues regarding the retail credit risk management that impact or potentially do in the practices, processes and corporate metrics established in the Policies, Rules and Operating Frameworks.
• Asset Management Global Risk Steering Committee: its purpose is to develop and coordinate the strategies, policies, procedures, and infrastructure necessary to identify, assess, measure and manage the material risks facing the bank in the operation of businesses linked to BBVA Asset Management.
• Global Insurance Risk Committee: its purpose is to guarantee and promote the alignment and the communication between all the Insurance Risk Units in the BBVA Group. It will do this by promoting the application of standardized principles, policies, tools and risk metrics in the different regions with the aim of maintaining proper integration of insurance risk management in the Group.
• COPOR: its purpose is to analyze and make decision in relation to the operations of the various geographies in which Global Markets is present.

Risk units of the corporate area and the business/geographical areas

The risks function is comprised of risk units from the corporate area, which carry out cross-cutting functions, and of risk units of the geographical/business areas.

• The risk units of the corporate area develop and submit to the Group’s Chief Risk Officer (CRO) the different elements required to define the proposal for the Group's Risk Appetite Framework, the corporate policies, regulation and global infrastructures within the operating framework approved by corporate bodies; they ensure their application and report directly or through the Group’s Chief Risk Officer (CRO) to the corporate bodies of BBVA. With regard to non-financial risks and reputational risk, which are entrusted tu Regulation & Internal Control and Communications & Responsible Business respectively, the corporate units of GRM will coordinate, with the corresponding corporate units of those areas, the development of the elements that should be integrated into the Appetite Framework of the Group.
• The risk units of the business and/or geographical areas develop and submit to the Chief Risk Officer of the geographical and/or business areas the Risk Appetite Framework proposal applicable in each geography and/or business area, independently and always according to the Group's strategy/Risk Appetite Framework. In addition, they ensure the application of corporate policies and rules with the necessary adaptations, when applicable, to local requirements, providing the appropriate infrastructures for risk management and control purposes, within the global risk infrastructure framework defined by the corporate areas, and reporting to the corresponding corporate bodies and senior management, as applicable. With regard to Non-financial risks, which are integrated in the Regulation & Internal Control area, the local risk units will coordinate, with the unit responsible for the local management of this risk, the development of the elements that should be integrated into the local Risk Appetite Framework.

Thus, the local risk units work with the risk units of the corporate area with the aim of adapting themselves to the risk strategy at Group level and pooling all the information required to monitor the evolution of their risks.

As previously mentioned, the risks function has a decision-making process supported by a structure of committees, and also a top-level committee, the GRMC, whose composition and functions are described in section “Corporate Bodies of BBVA”.

Each geographical and/or business area has its own risk management committee(s), with objectives and contents similar to those of the corporate area. These committees perform their duties consistently and in line with corporate risk policies and rules, and its decisions are reflected in the corresponding minutes.

Under this organizational scheme, the risks function ensures the integration and application throughout the Group of the risk strategy, the regulatory framework, the infrastructures and standardized risk controls. It also benefits from the knowledge and proximity to customers in each geographical and/or business area, and conveys the corporate risk culture to the Group's different levels. Moreover, this organization enables the risks function to conduct and report to the corporate bodies an integrated monitoring and control of the risks of the entire Group.

Chief Risk Officers of geographical and/or business areas

The risks function is cross-cutting, i.e. it is present in all of the Group's geographical and/or business areas through specific risk units. Each of these units is headed by a Chief Risk Officer for the geographical and/or business area who, within the relevant scope of responsibility, carries out risk management and control functions and is responsible for applying the corporate policies and rules approved at Group level in a consistent manner, adapting them if necessary to local requirements and with the subsequent reporting to local corporate bodies.

The Chief Risk Officers of the geographical and/or business areas have functional reporting to the Group's Chief Risk Officer and hierarchical reporting to the head of their geographical and/or business area. This dual reporting system aims to ensure the independence of the local risks function from the operating functions and enable its alignment with the Group's corporate policies and goals related to risks.

Risk Internal Control

The Group has a specific Risk Internal Control unit, within the Regulation & Internal Control area, that, among other tasks, independently challenges and control the regulation and governance structure in terms of financial risks and its implementation and deployment in GRM, in addition to the challenge of the development and implementation of financial risks control and management processes. In addition, it is also responsible for validating the risk models.

For this purpose, it has 3 subunits: Risk Internal Control, Risks Technical Secretariat and Risk Internal Validation.

• Risk Internal Control. It is responsible for challenging an appropriate development of the functions of GRM units, and for reviewing that the functioning of financial risks management and control processes is appropriate and in line with the corresponding regulation, identifying potential opportunities for improvement and contributing to the design of the action plans to be implemented by the responsible units.
• Risks Technical Secretariat. It is responsible for the definition, design and management of the principles, policies, criteria and processes through which the regulatory risk framework is developed, processed, reported and disclosed to the countries; and for the coordination, monitoring and assessment of its consistency and completeness. In addition, it coordinates the definition and structure of Risks Committees, and monitors their proper functioning, in order to ensure that all risk decisions are taken through an adequate governance and structure, ensuring their traceability. It also provides to the CRC the technical support required in terms of financial risks for a better performance of its functions.
• Risk Internal Validation. It is responsible for validating the risks models. In this regard, it effectively challenges the relevant models used to manage and control the risks faced by the Group, as an independent third party from those developing or using the models in order to ensure its accuracy, robustness and stability. This review process is not restricted to the approval process, or to the introduction of changes in the models, but it is a plan to make a regular assessment of those models, with the subsequent issue of recommendations and actions to mitigate identified weaknesses.

The Head of Risk Internal Control of the Group is responsible for the function and the reporting of the activities and work plans to the Head of Regulation & Internal Control and to the CRC, with the corresponding support in the issues required.

In addition, the risk internal control function is global and transversal, it includes all types of financial risks and has specific units in all geographical and/or business areas, with functional reporting to the Head of Risk Internal Control of the Group.

Risk Appetite Framework

Elements and development

The Group's Risk Appetite Framework approved by the corporate bodies determines the risks and the risk level that the Group is willing to assume to achieve its business objectives considering the organic evolution of business. They are expressed in terms of solvency, liquidity and funding and profitability and income recurrence, which are reviewed periodically and in case of material changes in the business strategy of the entity or relevant corporate transactions.

The Risk Appetite Framework is expressed through the following elements:

• Risk Appetite Statement: sets out the general principles of the Group's risk strategy and the target risk profile:
• The BBVA Group aims to promote a multichannel and responsible universal banking business model, based on values, committed to sustainable development and operational excellence and focused on our customers’ needs.
• To achieve these goals, the BBVA risk model is oriented to maintaining a moderate risk profile, a robust financial position and a sound risk-adjusted profitability through-the-cycle, as the best way to face adverse environments without jeopardizing our strategic goals.
• Risk Management at BBVA is based on prudent management, an integral view of all risks, a portfolio diversification by geography, asset class and client segment and keeping a long-term relationship with the client; thereby contributing to sustainable and profitable growth and recurrent value creation.
• Statements and core metrics: based on the appetite statement, statements are established that specify the general principles of risk management in terms of solvency, liquidity and funding and profitability and income recurrence. Moreover, the core metrics reflect, in quantitative terms, the principles and the target risk profile set out in the Risk Appetite statement. Each core metric has three thresholds ranging from usual management of the businesses to higher levels of impairment:
• Management reference: reference that determines a comfortable management level for the Group.
• Maximum appetite: maximum level of risk that the Group is willing to accept in its ordinary activity.
• Maximum capacity: maximum risk level that the Group could assume which, for some metrics, is associated with regulatory requirements.
• Statements and metrics by type of risk: based on the core metrics and their thresholds for each type of risk, statements are established that set out the general management principles for that risk and a number of metrics are determined, whose observance enables compliance with the core metrics and the Group's Risk Appetite statement. These metrics have a maximum risk appetite threshold.

In addition to this Framework, there is a level of management limits that is defined and managed by the areas responsible for the management of each type of risk in the development of the structure of metrics by type of risk, in order to ensure that the early management of risks complies with that structure and, in general, with the established Risk Appetite Framework.

Each significant geographical area (for the purposes of this model, significant is any geography representing more than 1% of the assets or operating income of the BBVA Group) has its own Risk Appetite framework, consisting of its local Risk Appetite statement, core metrics and statements, metrics and statements by type of risk, which must be consistent with those set at the Group level, but adapted to their own reality. These are approved by the corresponding corporate bodies of each entity. This Appetite Framework is deployed through a structure of limits consistent with the above.

The corporate risks area works with the various geographical and/or business areas to define their Risk Appetite Framework, so that it is coordinated with, and integrated into, the Group's Risk Appetite Framework, making sure that its profile is in line with the one defined. Moreover, and for the purposes of monitoring at local level, the Chief Risks Officer of the geographical and/or business area regularly reports on the evolution of the metrics of the Local Appetite Framework to the corporate bodies, as well as to the relevant top-level local committees, following a scheme similar to that of the Group, in accordance with its own corporate governance systems.

Within the issuing process of the Risk Appetite Framework of the Risks area (GRM), Risk Internal Control carries out an effective challenge of the Framework before being submitted to corporate bodies for analysis and, where applicable, approval.

Monitoring of the Risk Appetite Framework and management of breaches

So that corporate bodies can develop the risk functions of the Group, the heads of risks at an executive level will regularly report (or more frequently in the case of the CRC, within its scope of responsibility) on the evolution of the metrics of the Risk Appetite Framework of the Group, with the sufficient granularity and detail, in order to check the degree of compliance of the risks strategy set out in the Risk Appetite Framework of the Group approved by the Board of Directors.

If, through the monitoring of the metrics and supervision of the Risk Appetite Framework by the executive areas, a relevant deviation or breach of the maximum appetite levels of the metrics is identified, that situation must be reported and, where applicable, the corresponding corrective measures must be submitted to the CRC.

After the relevant review by the CRC, the deviation must be reported to the CDP –as part of its role in the monitoring of the evolution of the risk profile of the Group– and to the Board of Directors, which will be responsible, when applicable, for implementing the corresponding executive measures. For this purpose, the CRC will submit to the corresponding corporate bodies all the information received and the proposals prepared by the executive areas, together with its own analysis.

Notwithstanding the foregoing, once the information has been analyzed and the proposal of corrective measures has been reviewed by the CRC, the CDP may adopt, on grounds of urgency and under the terms established by law, measures corresponding the Board of Directors, but always reporting those measures to the Board of Directors in the first meeting held after the implementation for ratification purposes.

In any case, an appropriate monitoring process will be established –with a greater information frequency and granularity, if required– regarding the evolution of the breached or deviated metric, and the implementation of the corrective measures, until it has been completely redressed, with the corresponding reporting to corporate bodies, in accordance with its risks monitoring, supervision and control functions.

Integration of the Risk Appetite Framework into the management

The transfer of the Risk Appetite Framework to ordinary management is underpinned by three basic elements:

• 1. The existence of a consistent regulatory framework: the corporate risks area defines and proposes the corporate policies within its scope of action, and develops the additional internal regulation required for the development of those policies and the operating frameworks on the basis of which risk decisions must be adopted within the Group. The approval of the corporate policies for all types of risks is a responsibility of the corporate bodies of BBVA, while the rest of regulation is defined at an executive level according to the framework of competences applicable at any given time. The risks units of the geographical and/or business areas comply with this regulation and performing, where necessary, the relevant adaptation to local requirements, in order to have a decision-making process that is appropriate at local level and aligned with the Group's policies.
• 2. Risk planning, which ensures the integration into the management of the Risk Appetite Framework through a cascade process established to set limits adjusted to the target risk profile. The risks units of the corporate area and of the geographical and/or business areas are responsible for ensuring the alignment of this process with the Group's Risk Appetite Framework in terms of solvency, liquidity and funding and profitability and income recurrence.
• 3. A comprehensive management of risks during their life cycle, based on differentiated treatment according to their type.

Assessment, monitoring and reporting

Assessment, monitoring and reporting is a cross-cutting function at Group level. This function ensures that the model has a dynamic and proactive vision to enable compliance with the Risk Appetite Framework approved by the corporate bodies, even in adverse scenarios.

This process is integrated in the activity of the risk units, both of the corporate area and in the geographical and/or business units, together with the units specialized in non-financial risks and reputational risk within the Regulation & Internal Control and Communications & Responsible Business areas respectively, in order to generate a comprehensive and single view of the risk profile of the Group.

This process is developed through the following phases:

• Monitoring of the identified risk factors that can compromise the performance of the Group or of the geographical and/or business areas in relation to the defined risk thresholds.
• Assessment of the impact of the materialization of the risk factors on the metrics that define the Risk Appetite Framework based on different scenarios, including stress testing scenarios.
• Response to unwanted situations and proposals for redressing measures to the corresponding levels, in order to enable a dynamic management of the situation, even before it takes place.
• Monitoring the Group's risk profile and the identified risk factors, through internal, competitor and market indicators, among others, to anticipate their future development.
• Reporting: complete and reliable information on the evolution of risks to corporate bodies and senior management, with the frequency and completeness appropriate to the nature, significance and complexity of the reported risks. The principle of transparency governs all the risk information reporting process.

Infrastructure

For the implementation of the Model, the Group has the resources required for an effective management and supervision of risks and for achieving its goals. In this regard, the Group's risks function:

• Has the appropriate human resources in terms of number, ability, knowledge and experience. The profile of resources will evolve over time based on the specific needs of GRM and Regulation & Internal Control, always with a high analytical and quantitative capacity as the main feature in the profile of those resources. Likewise, the corresponding units of the geographical and/or business areas ensure they have sufficient means from the resources, structures and tools perspective in order to achieve a risk management process aligned with the corporate model.
• Develops the appropriate methodologies and models for the measurement and management of the different risk profiles, and the assessment of the capital required to take those risks.
• Has the technological systems required to: support the risk appetite framework in its broadest definition; calculate and measure the variables and specific data of the risk function; support risk management according to this Model; and provide an environment for storing and using the data required for risk management purposes and reporting to supervisory bodies.
• Promotes an adequate data governance to ensure solid quality standards in the processes aligned with the relevant internal regulation.

Within the risk functions, both the profiles and the infrastructure and data shall have a global and consistent approach.

The human resources among the countries must be equivalent, ensuring a consistent operation of the risk function within the Group. However, they will be distinguished from those of the corporate area, as the latter will be more focused on the conceptualization of appetite frameworks, operating frameworks, the definition of the regulatory framework and the development of models, among other tasks.

As in the case of the human resources, technological platforms must be global, thus enabling the implementation of the risk appetite framework and the standardized management of the risk life cycle among all countries.

The corporate area is responsible for deciding on the platforms and for defining the knowledge and roles of the human resources. It is also responsible for defining risk data governance.

The foregoing is reported to the corporate bodies of BBVA so they can ensure that the Group has the appropriate means, systems, structures and resources.

Risk culture

The BBVA Group promotes the development of a risk culture based on the observance and understanding of values, attitudes, and behaviors that allow the compliance with the regulations and frameworks that contribute to an appropriate risk management.

At BBVA the Risk Governance Model is characterized by a special involvement of social bodies, as they define the risk culture that permeates the rest of the organization and has the following main elements:

• Our Purpose which defines our reason to be and with our values and behaviors guide the performance of our organization and the people who are part of it.
• The Risk Appetite Framework which determines the risks and levels of risks that the Group is willing to assume in order to fulfill its goals.
• The Code of Conduct establishes the behavior guidelines that we must follow to adjust our behavior to the BBVA values.

The Risk Culture at BBVA is based on these levers:

• Communication: The BBVA Group promotes the dissemination of the principles and values that should govern the conduct and risk management in a comprehensive and consistent manner. To do this, the most appropriate channels of communication are used, to allow for the Risk culture to be integrated into the business activities at all levels of the organization.
• Training: The BBVA Group favors the understanding of the values, risk management model, and the code of conduct in all scenarios, ensuring standards in skills and knowledge.
• Motivation: The BBVA Group aims to define incentives for BBVA employees that support the risk culture at all levels. Among these incentives, the role of the Compensation policy and incentive programs stand out, as well as implementation of risk culture control mechanisms, including the complaint channels and the disciplinary committees.
• Monitoring: The BBVA Group pursues at the highest levels of the organization a continuous evaluation and monitoring of the risk culture to guarantee its implementation and identification of areas for improvement.

Credit risk

Positive performance of BBVA Group's risk metrics in 2019:

• Credit risk increased by 1.9% in 2019. At constant exchange rates the growth was 1.7%, where the decrease in Spain was offset by growth in the other business areas. In the fourth quarter credit risk increased 0.9% (up 2.1% at constant exchange rates) Growth was particularly strong in Spain and Mexico; and in the United States and Turkey, at constant exchange rates.
• The balance of non-performing loans fell by 2.1% in 2019 (down 2.2 at constant exchange rates), primarily due to the sale of non-performing loan portfolios in Spain, partially offsetting the growth in Turkey and, to a lesser extent, in Mexico. In the fourth quarter if fell by 2.1% (down 0.7% at constant exchange rates).
• The NPL ratio stood at 3.8% at the end of 2019 a decrease of 12 basis points compared to September and of 15 basis points in the the year.
• Loan-loss provisions increased by 2.6% in the last twelve months (up 3.5% at constant exchange rates).
• The NPL coverage ratio closed at 77%, which was an improvement of 349 basis points compared to the close of 2018.
• The cumulative cost of risk stood at 1.04% at the end of 2019, in line with the end of 2018.

NON-PERFORMING LOANS AND PROVISIONS (MILLONS OF EUROS)

CREDIT RISK ⁽¹⁾ (MILLIONS OF EUROS)

NON-PERFORMING LOANS EVOLUTION (MILLIONS OF EUROS)

Market risk

For futher information, see Note 7.2 of the Consolidated Financial Statements.

Structural risks

Structural interest rate risk

The aim of managing interest-rate risk is to limit the sensitivity of the balance sheets to interest rate fluctuations. BBVA carries out this work through an internal procedure following the guidelines established by the European Banking Authority (EBA), which measures the sensitivity of net interest income and economic value to determine the potential impact of a range of scenarios on the Group's different balance sheets.

The model is based on assumptions intended to realistically mimic the behavior of the balance sheet. Of particular relevance are assumptions regarding the behavior of accounts with no explicit maturity and prepayment estimates. These assumptions are reviewed and adapted at least once a year to take into account any changes in behavior.

BBVA maintains, at the aggregate level, a favorable position in net interest income in the event of an increase in interest rates, as well as a moderate risk profile, in line with its target, through effective management of structural balance sheet risk.

By area, the main features of the balance sheets are:

• Spain and the United States have balance sheets characterized by a high proportion of variable-rate loans in the loan portfolio (basically, mortgages in Spain and corporate lending in both countries) and liability composed mainly of customer deposits. The ALCO portfolios act as hedges for the bank's balance sheet, mitigating its sensitivity to interest rate fluctuations. The profile of both balances remained stable during 2019, with a moderate reduction in the sensitivity of net interest income to lower interest rates in the two business areas.
• In Mexico, the balance shown throughout 2019 between the balances referenced at the fixed and variable interest rates was maintained. In terms of the assets most sensitive to interest rate fluctuations, the corporate portfolio stands out, while consumer loans and mortgages are mostly at a fixed rate. The ALCO portfolio is used to neutralize the longer duration of customer deposits. The sensitivity of the interest margin remained limited and stable during 2019.
• In Turkey, the interest rate risk (between the Turkish lira and US dollars) was very limited: on the asset side, the sensitivity of loans, mostly fixed-rate but with relatively short maturities and the ALCO portfolio, including inflation-linked bonds, is balanced by the sensitivity of deposits, which are re-priced in the short term, in liabilities. The evolution of the currency balance sheets was positive in the year, showing a reduction in the sensitivity of the net interest income.
• In South America, the interest rate risk remained low due to the fixed/variable composition and maturities being very similar for assets and liabilities in most countries in the region. In addition, in balance sheets with several currencies, interest rate risk is managed for each of the currencies, showing a very low level of risk. Balance sheet profiles in the countries that make up this business area remain stable, maintaining a bounded and near-constant net interest income sensitivity throughout 2019.

Structural foreign exchange rate risk

Foreign exchange risk management of BBVA's long-term investments, principally stemming from its overseas franchises, aims to preserve the Group's capital adequacy ratios and ensure the stability of its income statement.

In 2019, the Argentine peso (-36%) and the Turkish lira (-9%) depreciated against the euro, while the Mexican peso (+6%) and the US dollar (+2%) appreciated on a year-on-year basis. BBVA has maintained its policy of actively hedging its main investments in emerging markets, covering on average between 30% and 50% of the annual earnings and around 70% of the excess CET1 capital ratio. Based on this policy, the sensitivity of the CET1 ratio to a depreciation of 10% against the euro of the main emerging-market currencies stood at -4 basis points for the Mexican peso and -2 basis points for the Turkish lira. In the case of the US dollar, the sensitivity to a depreciation of 10% against the euro is approximately +11 basis points, as a result of RWAs denominated in US dollars outside the United States. The coverage level for the expected earnings for 2020 is currently 24% for Mexico and 20% for Turkey.

Structural equity risk

For futher information, see Note 7.3 of the Consolidated Financial Statements.

Liquidity and funding risk

Management of liquidity and funding at BBVA aims to finance the recurring growth of the banking business at suitable maturities and costs, using a wide range of instruments that provide access to a large number of alternative sources of financing, always in compliance with current regulatory requirements.

Due to its subsidiary-based management model, BBVA is one of the few major European banks that follows the Multiple Point of Entry (MPE) resolution strategy: the parent company sets the liquidity policies, but the subsidiaries are self-sufficient and responsible for managing their own liquidity, (taking deposits or accessing the market with their own rating), without fund transfers or financing occurring between either the parent company and the subsidiaries, or between the different subsidiaries. This strategy limits the spread of a liquidity crisis among the Group's different areas, and ensures that the cost of liquidity and financing is correctly reflected in the price formation process.

The financial soundness of the BBVA Group's banking companies continues to be based on the funding of lending activity, fundamentally through the use of stable customer funds. During 2019, liquidity conditions remained strong across all countries in which the BBVA Group operates:

• In the eurozone, the liquidity situation remains strong, with a slight increase in the credit gap over the course of the year. In December, BBVA participated in the second liquidity auction of the European Central Bank's long-term loan program, TLTRO III, due to its favorable conditions in terms of cost and term. In this respect, the corresponding part of the TLTRO II program was amortized.
• In the United States, the liquidity situation is sound. In 2019, there was a decrease in the credit gap, primarily due to the increase in deposits, as a result of deposit-taking campaigns and a slowdown in lending activity. It should be noted that the very short term tensions that occurred in the United States repo market during the second half of the year, which forced the Federal Reserve to act by providing liquidity, had no impact on BBVA USA due to its low dependence on this type of transaction and the maintenance of an adequate liquidity buffer.
• In Mexico, the liquidity situation remains strong, despite a slight increase in the credit gap during the year due to a higher growth in credit investment compared to deposits. The liquidity situation reflects the measures that management carried out during the year to increase deposits, especially in foreign currency, under the pressure of strong competition.
• In Turkey, a good liquidity situation is maintained, despite the wholesale financing maturities recorded during the year, with an adequate buffer in the event of a possible liquidity stress scenario. The credit gap improved during the year on both balance sheets, due to the reduction of loans versus the growth of foreign currency deposits, while in local currency, there is a higher growth of deposits compared to loan growth.
• In South America, the liquidity situation remains strong throughout the region. In Argentina, the high volatility generated in the markets during the mid-year electoral process, resulted in an outflow of US dollar deposits in the banking system. The rate of outflows, however, had been substantially contained by the end of the year, and even experienced slight inflows. In this context, BBVA Argentina successfully dealt with this situation, relying on the solid liquidity position it maintained, as shown by the adequate liquidity ratios.

The BBVA Group's liquidity coverage ratio (LCR) remained well above 100% throughout 2019 and stood at 129% as of December 31, 2019. It comfortably exceeded 100% in all subsidiaries (eurozone 147%, Mexico 147%, the United States 145% and Turkey 206%). For the calculation of this ratio, it is assumed that there is no transfer of liquidity among subsidiaries; i.e. no kind of excess liquidity levels in foreign subsidiaries are considered in the calculation of the consolidated ratio. When considering these excess liquidity levels, the BBVA Group's LCR would stand at 158% (29 percentage points above 129%).

The Net Stable Funding Ratio (NSFR), defined as the ratio between the amount of stable funding available and the amount of stable funding required, is one of the Basel Committee's essential reforms, and requires banks to maintain a stable funding profile in relation to the composition of their assets and off-balance-sheet activities. This ratio should be at least 100% at all times. At the BBVA Group, the NSFR, calculated according to the Basel requirements, remained above 100% throughout 2019 and stood at 120% as of December 31, 2019. It comfortably exceeded 100% in all subsidiaries (eurozone 113%, Mexico 130%, the United States 116% and Turkey 151%).

The wholesale financing markets in which the Group operates remained stable.

The main transactions carried out by companies that form part of the BBVA Group during 2019 were:

• BBVA, S.A. issued three senior non-preferred debt instruments. The first was a €1,000m, five year term bond with a fixed annual coupon of 1.125%, d; the second, in the form of a green bond (second after the inaugural bond issued in May 2018), also amounted to €1,000m, with an annual coupon of 1% and a seven-year term; and the third one was issued in September for €1,000m over a five-year period with a coupon of 0.375%, being the lowest coupon achieved by a senior non-preferential debt issue in Spain and the lowest paid by BBVA for senior debt (preferred and non-preferred). In November, BBVA issued a €1,000m seven-year preferred senior debt instrument with a 0.375% coupon.
• In addition, in January 2020, BBVA, S.A. issued a €1,250m seven-year senior non-preferred debt ars with a coupon of 0.5%; the lowest achieved by a Spanish issuer of this product with this maturity.
• In regards to capital issuances, BBVA, S.A. conducted three public capital issuances: the issuance of preferred securities that may be converted into ordinary BBVA shares (CoCos), registered with the Spanish Securities Market Commission (CNMV) for €1,000m, with an annual coupon of 6.0% and an amortization option as of the fifth year; another issuance of CoCos, registered with the SEC, for USD 1,000m and a coupon of 6.5% with an amortization option after five and a half years; and a Tier 2 subordinated debt issuance of €750m, with a maturity period of ten years and an amortization option in the fifth year and a coupon of 2.575%.
• In January 2020, BBVA, S.A. issued €1,000m of Tier 2 subordinated debt over a ten-year period, with an option of early amortization in the fifth year, and a coupon of 1%.
• In addition, during 2019 the early amortization option of the CoCos issuance in the amount of €1,500m with a coupon of 7% and issued in February 2014, was executed, and in February 2020, the amortization of the €1,500m CoCos issued in February 2015 with a coupon of 6.75%, was announced; a Tier 2 subordinated debt issuance for €1,500m with a coupon of 3.5% and issued in April 2014, was also amortized. In June 2019, BBVA, S.A., as the universal successor to Unnim Banc, S.A.U., exercised the early amortization of the issuance of subordinated bonds, originally issued by Caixa d'Estalvis de Sabadell, for an outstanding nominal amount of €4,878,000.
• In the United States, BBVA USA, during the third quarter of the year, issued USD 600m senior bond with a five-year maturity and 2.5% coupon. The purpose of this issuance was to renew a maturity of the same amount.
• In Mexico, a €471m senior debt instrument was issued in the second quarter of the year in the local market in two tranches: €236m three year maturity at a rate of TIIE +28 basis points and a €236m 8 years maturity referenced to Mbono +80 basis points, obtaining the lowest funding cost in the history of the local market in both maturities. In the third quarter, a Tier 2 issuance was executed in the amount of USD 750m, with a maturity of 15 years, with an early amortization option in the tenth year and a coupon of 5.875%. The funds obtained were used to carry out a partial repurchase of two subordinated issuances that were no longer being calculated in capital (USD 250m with maturity in 2020 and USD 500m with maturity in 2021).
• In Turkey, Garanti BBVA, in the first quarter of the year, issued a Diversified Payment Rights (DPR) securitization for USD 150m with a five year maturity. It also renewed syndicated loans for USD 784m in the first half of the year and USD 800m in the second half of the year. Garanti obtained financing for an amount of USD 322m through a bilateral loan and issued a USD 50m green bond in December. Additional bilateral funds for USD 110m were also signed in December 2019.
• In South America, during 2019, BBVA Peru issued an equivalent amount of €116m, of which, €66m were issued during the last quarter of the year. While BBVA Argentina issued marketable bonds on the local market for approximately €53m (€29m in the last quarter of the year, after the change of government). In Chile, Forum issued a bond on the local market for an amount equivalent to €107m in the first half of 2019.

Operational Risk

BBVA defines operational risk (“OR”) as any risk that could result in losses caused by human error; inadequate or flawed internal processes; undue conduct with respect to customers, markets or the institution; failures, interruptions or flaws in systems or communications; inadequate data management; legal risk; and finally, as a result of external events, including cyberattacks, third-party fraud, disasters and defective service provided by suppliers.

Operational risk management is oriented towards the identification of the root causes to avoid their occurrence and mitigate possible consequences. This is carried out through the establishment of mitigation plans and control frameworks aimed at minimizing resulting losses and their impact on the recurrent generation of income and the profit of the Group. Operational risk management is integrated into the global risk management structure of the BBVA Group.

This section addresses general aspects of operational risk management as the main component of non-financial risks. However, sections devoted to conduct and compliance risk and to cybersecurity risk management are also included in the non-financial information report.

Operational Risk Management Principles

The BBVA Group is committed to preferably applying advanced operational risk management models, regardless of the capital calculation regulatory model applicable at the time. Operational risk management at the BBVA Group shall:

• Be aligned with the Risk Appetite Framework ratified by the BBVA Board of Directors.
• Address BBVA's management needs in terms of compliance with legislation, regulations and industry standards, as well as the decisions or positioning of BBVA's corporate bodies.
• Anticipate the potential operational risk to which the Group may be exposed as a result of the creation or modification of products, activities, processes or systems, as well as decisions regarding the outsourcing or hiring of services, and establish mechanisms to assess and mitigate risk to a reasonable extent prior to implementation, as well as review the same on a regular basis.
• Establish methodologies and procedures to enable regular reassessment of the significant operational risk to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, once the identified risk and the cost of mitigation (cost/benefit analysis) have been considered, while safeguarding the Group's solvency at all times.
• Promote the implementation of mechanisms that support careful monitoring of all sources of operational risk and the effectiveness of mitigation and control environments, fostering proactive risk management.
• Examine the causes of any operational events suffered by the Group and establish means to prevent the same, provided that the cost/benefit analysis so recommends. To this end, procedures must be in place to evaluate operational events and mechanisms and to record the operational losses that may be caused by the same.
• Evaluate key public events that have generated operational risk losses at other institutions in the financial sector and support, where appropriate, the implementation of measures as required to prevent them from occurring at the Group.
• Identify, analyze and attempt to quantify events with a low probability of occurrence and a high impact, which by their exceptional nature may not be included in the loss database; or if they are, feature with impacts that are not very representative for the purpose of valuing possible mitigation measures.
• Have an effective system of governance in place, where the functions and responsibilities of the corporate areas and bodies involved in operational risk management are clearly defined.
• Operational risk management must be performed in coordination with management of other risk, taking into consideration credit or market events that may have an operational origin.

Operational risk control and management model

The operational risk management cycle at BBVA is similar to the one implemented for the rest of risks. Its elements are:

Operational risk management parameters

Operational risk forms part of the risk appetite framework of the Group and includes three types of metrics and limits:

• Economic capital calculated with the operational losses database of the Group and the industry, considering the corresponding diversification effects and the additional estimation of potential and emerging risks through stress scenarios designed for the main types of risks. The economic capital is regularly calculated for the main banks of the Group and simulation capabilities are available to anticipate the impact of changes on the risk profile or new potential events.
• ORI metrics (Operational Risk Indicator: operational risk losses vs. gross income) broken down by geography, business area and type of risk.
• Additionally, a more granular common scheme of metrics (indicators and limits) covering the main types of operational risk is being implemented throughout the Group. These metrics will make it possible to intensify the anticipatory management of risk and objectify the appetite to different sources.

Operational risk admission

The main purposes of the operational risk admission phase are the following:

• To anticipate potential operational risk to which the Group may be exposed due to the release of new, or modification of existing, products, activities, processes or systems, as well as purchasing decisions (e.g. outsourcing).
• To ensure that implementation is only performed once appropriate mitigation measures have been taken in each case, including risk assurance where deemed appropriate.

The Corporate Non-Financial Risk Management Policy sets out the specific operational risk admission framework through different committees, at a corporate and Business Area level, that follow a delegation structure based on the risk level of proposed initiatives.

Operational risk monitoring

The purpose of this phase is to check that the target operational risk profile of the Group is within the authorized limits. Operational risk monitoring considers 2 scopes:

• Monitoring the operational risk admission process, oriented towards checking that accepted risks levels are within the limits and that defined controls are effective.
• Monitoring the operational risk "stock" associated with processes. This is done by carrying out a periodic re-evaluation in order to generate and maintain an updated map of the relevant operational risks in each Area, and evaluate the adequacy of the monitoring and mitigation environment for said risks. This promotes the implementation of action plans to redirect the weaknesses detected.

This process is supported by a corporate Governance, Risk & Compliance tool that monitors OR at a local level and its aggregation at a corporate level.

In addition, and in line with the best practices and recommendations provided by the BIS, BBVA has procedures to collect the operational losses occurred in the different entities of the Group and in other financial groups, with the appropriate level of detail to carry out an effective analysis that provides useful information for management purposes and to contrast the consistency of the Group's operational risk map. To that end, a corporate tool of the Group is used.

The Group ensures continuous monitoring by each Area of the due functioning and effectiveness of the control environment, taking into consideration management indicators established for the Area, any events and losses that have occurred, as well as the results of actions taken by the second line of defense, the internal audit unit, supervisors or external auditors.

Operational risk mitigation

Several cross-sectional plans are being promoted in recent years for the entire BBVA Group to encourage a forward-looking management of operational risks. To that end, focuses have been identified from events, self-assessments and recommendations from auditors and supervisors in different geographies, both in the Group and the industry, thereby analyzing the best practices and fostering comprehensive action plans to strengthen and standardize the control environment.

One of the core plans is outsourcing management, which is an increasingly important subject in the Group, the industry and the regulatory environment. Some of the different initiatives launched under this scheme are summarized below:

• Strengthening the admission process of these initiatives and their control and monitoring frameworks.
• New internal regulation comprising the best practices of the industry.
• Integration in the 3 lines of defense control model: roles and responsibilities in each phase of its life cycle.
• Risk management of the service and the supplier.
• Review of its governance process, which is included in operational risk governance, and escalation criteria.
• Adaptation of the model and the management tool to the new requirements, including those coming from the new EBA guidelines, in force since September 30, 2019.

This plan will still be in place throughout 2020 with a focus on aligning our stock of arrangements with the new standards introduced by the EBA guidelines.

Insurance of Operational Risk

Insurance is one of the possible options for managing the operational risk to which the Group is exposed, and mainly has two potential purposes:

• Coverage of extreme situations linked to recurrent events that are difficult to mitigate or can only be partially mitigated by other means.
• Coverage of nonrecurrent events that could have significant financial impact, if they occurred.

The Group has a general framework that regulates this area, and allows systematizing risk assurance decisions, aligning insurance coverage with the risks to which the Group is exposed and reinforcing governance in the decision-making process of arranging insurance policies.

Operational Risk Control Model

BBVA Group's operational risk governance model is based on two components:

• Three-line defense control model, in line with industry best practices, and which guarantees compliance with the most advanced operational risk internal control standards.
• Scheme of Corporate Assurance Committees and Internal Control and Operational Risk Committees at the level of the different business and support areas.

Corporate Assurance establishes a structure of committees, both local and corporate, to provide senior management with a comprehensive and homogeneous vision of these significant situations. The aim is to support rapid decision-making with foresight, for the mitigation or assumption of the main risks.

Each geography has a Corporate Assurance Committee chaired by the Country Manager and whose main functions are:

• Monitoring the changes in the non-financial risks and their alignment with the defined strategies and policies and the risk appetite.
• Analyzing and assessing controls and measures established to mitigate the impact of the risks identified, should they materialize.
• Making decisions about the proposals for risk taking that are conveyed by the working groups or that arise in the Committee itself.
• Promoting transparency by promoting the proactive participation of the three lines of defense in discharging their responsibilities and the rest of the organization in this area .

At the holding company level there is a Global Corporate Assurance Committee, chaired by the Group's Chief Executive Officer. Its main functions are similar to those already described but applicable to the most important issues that are escalated from the geographies and the holding company areas.

The business and support areas have an Internal Control and Operational Risk Committee, the purpose of which is to ensure the due implementation of the operational risk management model within its scope of action and drive active management of such risk, taking mitigation decisions when control weaknesses are identified and monitoring the same.

Additionally, the Non-Financial Risk unit periodically reports the status of the management of non-financial risks in the Group to the Board's Risk and Compliance Committee.

Risk factors

As mentioned earlier, BBVA has processes in place for identifying risks and analyzing scenarios that enable the Group to manage risks in a dynamic and proactive way.

The risk identification processes are forward looking to ensure the identification of emerging risks and take into account the concerns of both the business areas, which are close to the reality of the different geographical areas, and the corporate areas and senior management.

Risks are captured and measured consistently using the methodologies deemed appropriate in each case. Their measurement includes the design and application of scenario analyses and stress testing and considers the controls to which the risks are subjected.

As part of this process, a forward projection of the risk appetite framework variables in stress scenarios is conducted in order to identify possible deviations from the established thresholds. If any such deviations are detected, appropriate measures are taken to keep the variables within the target risk profile.

To this extent, there are a number of emerging risks that could affect the Group´s business trends. These risks are described in the following main sections:

Macroeconomic and geopolitical risks

Global growth decelerated in 2019 to growth rates slightly below 3% in annual terms in the second half of the year, below the 3.6% of 2018. Increased trade protectionism and geopolitical risks had a negative impact on economic activity, mainly on exports and investment, additionally to the structural slowdown in the Chinese economy and the cyclical moderation of the US and Eurozone economies. However, the counter-cyclical policies announced in 2019, led by central banks, along with the recent reduction in trade tensions between the United States and China and the disappearance of the risk of a disorderly Brexit in the short term, are leading to some stabilization of global growth, based on the relatively strong performance of private consumption supported by the relative strength of labor markets and low inflation. Thus, global growth forecasts stand around 3.2% for both 2019 and 2020.

In terms of monetary policy, the major central banks took more loosening measures last year. In the United States, the Federal Reserve reduced interest rates between July and October by 75 basis points to 1.75%. In the Eurozone, the European Central Bank (ECB) announced in September a package of monetary measures to support the economy and the financial system, including: (i) a deposit facility interest rate reduction of ten basis points, leaving them at -0.50%, (ii) the adoption of a phased interest rate system for the previously mentioned deposit facility, (iii) a new debt purchase program of €20 billion per month, and (iv) an improvement in financing conditions for banks in the ECB's liquidity auctions. The latest signs of growth stabilization contributed to the decision of both monetary authorities to keep interest rates unchanged in recent months, although additional stimulus measures are not ruled out in the event of a further deterioration of the economic environment. In China, in addition to fiscal stimulus decisions and exchange rate depreciation, a cut in reserve requirements for banks was recently announced and base rates have been reduced. Accordingly, interest rates will remain low in major economies, enabling emerging countries to gain room for maneuver.

Regulatory and reputational risks

Financial institutions are exposed to a complex and ever-changing regulatory environment defined by governments and regulators. This can affect their ability to grow and the capacity of certain businesses to develop, and result in stricter liquidity and capital requirements with lower profitability ratios. The Group constantly monitors changes in the regulatory framework that allow for anticipation and adaptation to them in a timely manner, adopt industry practices and more efficient and rigorous criteria in its implementation.

The financial sector is under ever closer scrutiny by regulators, governments and society itself. In the course of activities, situations which might cause relevant reputational damage to the entity could raise and might affect the regular course of business. The attitudes and behaviors of the Group and its members are governed by the principles of integrity, honesty, long-term vision and industry practices through, inter alia, internal control Model, the Code of Conduct, tax strategy and Responsible Business Strategy of the Group.

For more information regarding the model of work risk prevention, the compliance system, the management of the tax risk as well as social and environmental risks, see sections “ Work environment“, “Ethical behavior“, “Fiscal transparency“ “Sustainable Finance”, respectively, within the Non-financial statement.

IBOR reform

Regarding the regulatory risks, the global interest rates benchmark reform is a key area of focus for BBVA. Interbank interest rates (IBORs) are key references that underpin many contracts within the financial sector worldwide. Following the 2014 recommendations from the Financial Stability Board (FSB), authorities in various countries are promoting initiatives that enable the financial system to reduce its reliance on IBORs and make a transition to risk-free alternative interest rates (RFR) by the end of 2021. These RFRs have been designed to overcome the difficulties related to the IBOR rates, in particular to minimize reliance on expert judgment and ensure greater transparency and understanding during its definition process. Transitions could occur from the rate that was historically used as a reference to the new RFR (e.g. the transition from EONIA to €STR in Europe, or the transition from the LIBOR dollar to SOFR in the United States) or by evolving the existing index methodology, in both cases overnight (e.g. SONIA for the GBP market) or term (e.g. EURIBOR).

The BBVA Group has a significant number of financial assets and liabilities whose contracts refer to IBOR rates. EURIBOR is identified as the most relevant reference rate in the Group, and is used, among others, for loans, deposits and debt issues as well as underlying in derivative instruments. In the case of EONIA, it has a minor presence in the banking book but it is used as the underlying rate in derivative instruments in the trading book and for the treatment of collaterals, mainly in Spain. In the case of LIBORs, the USD is the most relevant currency for both loans and debt instruments for the banking book and trading book. Other LIBOR currencies (CHF, GBP and JPY) have a minor presence.

The IBOR transition has been identified as a complex initiative, affecting BBVA in different geographical areas and business lines, as well as in a multitude of products, systems and processes. For this reason, BBVA has established a transition project with a robust governance structure. The Executive Steering Committee is represented by the senior management of the affected areas and reports directly to the Group’s Global Leadership Team. At local level, each geographical area has established a local governance structure with the participation of the senior management. Coordination between geographical areas is ensured through the Project Management Office (PMO) and the Global Working Groups that have a multi-geographic and cross-sectional vision of the Legal, Risk, Regulatory, Finance and Accounting, Engineering and Communication areas. The project has also been raised in the Corporate Assurance committees of the geographical areas and businesses as well as in the Group’s Global Corporate Assurance committee.

The project considers the different approaches and timings for transition to the new RFRs when assessing the economic, operational, legal, financial, reputational and compliance risks associated with the transition, as well as defining the lines of action to mitigate them. One important aspect is the impact on financial instruments contracts that refer to the IBOR rates and that expire after 2021. In the case of the EONIA, BBVA will take measures to novate contracts that expire after 2021. The Group already has new clauses that include the €STR as a substitute index as well as clauses that include the €STR as the main index in new contracts. In the derivatives area (the main use of the EONIA) the actions are leveraged in the work of ISDA. In the case of LIBOR, uncertainty regarding its future requires identifying the contracts that expire after 2022 in order to prepare for potential contractual novations. At the same time, the clauses that industry associations suggest as alternatives or substitutes for LIBOR are being analyzed so that they can be included in the contracts. With regard to the EURIBOR, the European authorities have supported the index’s continuation and the evolution of its methodology so that it complies with the European Benchmarks Regulation. The authorities have also said that the new methodology continues to measure the same economic reality. BBVA is actively involved in various working groups such as the EURO RFR WG, which actively works to define fallback provisions in contracts, amongst other things.

BBVA will make every reasonable effort to treat its customers in a fair and transparent manner and to safeguard their interests during the transition to the new benchmarks. BBVA also remains committed to market participants, authorities and our customers to back an orderly transition and mitigate the risks that result from it.

Business, operational and legal risks

New technologies and forms of customer relationships: Developments in the digital world and in information technologies pose significant challenges for financial institutions, entailing threats (new competitors, disintermediation…) but also opportunities (new framework of relations with customers, greater ability to adapt to their needs, new products and distribution channels...). Digital transformation is a priority for the Group as it aims to lead digital banking of the future as one of its objectives.

Technological risks and security breaches: The Group is exposed to new threats such as cyberattacks, theft of internal and customer databases, fraud in payment systems, etc. that require major investments in security from both the technological and human point of view. The Group gives great importance to the active operational and technological risk management and control.

For more information regarding the customer protection, see section “Customer care” within the Non-financial information report.

The financial sector is exposed to increasing litigation, so the financial institutions face a large number of proceedings of every kind, civil, criminal, administrative, litigation, as well as investigations from the supervisor or other governmental authorities, along several jurisdictions, which consequences are difficult to determine (including those procedures in which an undetermined number of applicants is involved, in which damages claimed are not easy to estimate, in which an exorbitant amount is claimed, in which new jurisdictional issues are introduced under creative non – contrasted legal arguments and those which are at a very initial stage).

In Spain, in many of the existing procedures, applicants’ claim, both at Spanish courts and through preliminary rulings towards the European Union Court of Justice that various clauses usually included under a mortgage loan with credit institutions are stated abusive (including mortgage fees clauses, early redemption right clause, referenced interest rate type and opening fee). In particular, with regards to consumer mortgage loan agreements linked to the mortgage loan reference index (Índice de Referencia de los Préstamos Hipotecarios — mortgage loan reference index) (IRPH), which is the average interest rate calculated by the Bank of Spain and published in the Official Spanish Gazette (Boletín Oficial del Estado) for mortgage loans of more than three years for freehold housing purchases granted by Spanish credit institutions and which is considered the “official interest rate” by mortgage transparency regulations, on 14th December, 2017 the Spanish Supreme Court, in its Ruling No 669/2017 (the Ruling), held that it was not possible to determine that a loan's interest rate was not transparent simply due to it making reference to one official rate or another, nor can its terms then be confirmed as unfair under the provisions of Directive 93/13/EEC of 5th April, 1993. As of the date of this Annual Report, a preliminary ruling is pending in which the Ruling is being challenged before the Court of Justice of the European Union. BBVA considers that the Ruling is clear and well founded.

On September 10, 2019, the Advocate General of the Court of Justice of the European Union issued a report on this matter.

In that report, the Advocate General of the Court of Justice of the European Union concluded that the bank to which the preliminary ruling relates (Bankia, S.A.) complied with the requirement of transparency imposed by the applicable European regulation. The Advocate General also indicated that it is for the national courts to carry out the checks they consider necessary in order to analyze compliance with the applicable transparency obligations in each individual case.

The Advocate General's report does not bind the decision which the Court of Justice of the European Union may take finally on this matter in the future.

It is therefore necessary to await the Court of Justice of the European Union’s ruling on the matter referred in the preliminary ruling in order to determine whether it may have any effect on BBVA.

The impact of any potential unfavorable ruling by the Court of Justice of the European Union is difficult to predict at this time, but could be material. The impact of such a resolution may vary depending on matters such as (i) the decision of the Court of Justice of the European Union on what interest rate should be applied to the applicable loans; and (ii) whether the effects of the judgment are applied retroactively. According to the latest available information, the amount of mortgage loans to individuals linked to IRPH and up to date with the payment is approximately €2,800m.

In addition, there are also claims before the Spanish courts challenging the application of certain interest rates and other mandatory rules to certain revolving credit card agreements. The resolutions in this type of proceedings against the Group or other banking entities may directly or indirectly affect the Group.

The Group is involved in several competition investigations and other legal actions related to competition initiated by third parties in various countries which may give raise to penalties and claims by third parties.

As mentioned in the section “Other non-financial risks” of the Non-financial information report of this Management report, Central Investigating Court No. 6 of the National High Court is investigating the activities of Centro Exclusivo de Negocios y Transacciones, S.L. (Cenyt) in the Preliminary Proceeding No. 96/2017. Piece No. 9 of this proceeding includes the provision of services to the Bank. It is not possible at this time to predict the scope or duration of such proceeding or any related proceeding or its or their possible outcomes or implications for the Group, including any fines, damages or harm to the Group’s reputation caused thereby.

The Group regularly promotes internal investigations into possible violations of its code of conduct or applicable regulations, including corruption and sanctions, and such investigations could be time-consuming and costly. In addition, the Group constantly manages and monitors investigations, proceedings and legal or regulatory actions brought by third parties, making provisions for their coverage where necessary (based on the number of disputes and the status of the proceedings or actions). However, the outcome of investigations, legal or regulatory proceedings or actions, to which the Bank is already a party, as well as those which may arise in the future or to which other credit entities are a party, is difficult to predict and, accordingly, in the event of changes in legal criteria or adverse outcomes of some of these, the provisions recorded may be insufficient and may have a material adverse effect on the Group's business, financial position and result of operations.