Risk management

General risk management and control model

The BBVA Group has a general risk management and control model (hereinafter, the “Model”) that is appropriate for its business model, its organization, the countries where it operates and its corporate governance system. This model allows the Group to carry out its activity within the risk management and control strategy and policy defined by the corporate bodies of BBVA and to adapt itself to a changing economic and regulatory environment, facing this management at a global level and aligned to the circumstances at all times.

The Model, for which the Group’s Chief Risk Officer (CRO) is responsible and that must be updated or reviewed at least annually, is fully applied in the Group and it comprises the following basic elements:

• Governance and Organization
• Risk Appetite Framework
• Assessment, Monitoring and Reporting
• Infrastructure.

The Group promotes the development of a risk culture that ensures a consistent application of the Model in the Group, and that guarantees that the risks function is understood and internalized at all levels of the organization.

Governance and Organization

The risk governance model in the BBVA Group is characterized by a special involvement of its corporate bodies, both in setting the risk strategy and in monitoring and supervising its implementation on an ongoing basis.

Thus, and as explained below, the corporate bodies are responsible for approving the risk strategy and the general policies for the different types of risks. Global Risk Management (GRM) & Regulation and Internal Control (including, among other areas, Non-Financial Risks) are the functions responsible for its implementation and development, with the appropriate reporting to corporate bodies.

Responsibility for day-to-day management of risks falls on business and corporate areas, the activities of which adhere to the general policies, regulation, infrastructures and controls that, based on the framework set by corporate bodies, are defined by Global Risk Management and Regulation & Internal Control in their corresponding areas of responsibility.

To carry out this work adequately, the financial risks function in the BBVA Group (GRM) has been set up as a single, global function independent from commercial areas.

The head of the risks function at an executive level, the Group’s Chief Risk Officer (or CRO), is appointed by the Board of Directors as a member of its senior management, and reports directly on the development of the corresponding functions to the corporate bodies. The Chief Risk Officer, for the best fulfillment of the functions, is supported by a structure consisting of cross-cutting risk units in the corporate area and specific risk units in the Group's geographical and/or business areas.

In addition, and with regard to internal control and non-financial risks, the Group has a Regulation & Internal Control area independent from the rest of units and whose head (Head of Regulation & Internal Control) is also appointed by the Board of Directors of BBVA and reports directly to corporate bodies on the performance of its functions. This area is responsible for proposing and implementing non-financial risks policies and the Internal Control Model of the Group and it is composed by, among other, the Non-Financial Risks, Regulatory Compliance and Risk Internal Control units.

The Risk Internal Control unit, within the Regulation & Internal Control area and, therefore, independent from the financial risks function (GRM), acts as a control unit for the activities carried out by GRM. In this regard, and without prejudice to the functions performed in this regard by the Internal Audit area, Risk Internal Control checks that the regulatory framework, processes and established measures are sufficient and appropriate for each type of financial risk. It also monitors its implementation and operation, and confirms that those decisions taken by GRM are taken independently from the business lines and, in particular, that there’s an adequate segregation of functions between units.

Governance and organizational structure are basic pillars for ensuring an effective risk management and control. This section summarizes the roles and responsibilities of the corporate bodies in the risks area, of the Group's Chief Risk Officer and, in general, of the risks function, its interrelation and the group of committees, in addition to the Risk Internal Control unit.

Corporate Bodies of BBVA

According to the corporate governance system of BBVA, the Board of Directors of the Bank has certain reserved powers concerning management, through the implementation of the corresponding most relevant decisions, and concerning supervision and control, through the monitoring and supervision of implemented decisions and management of the Bank.

In addition, and to ensure an adequate performance of the management and supervisory functions of the Board of Directors, the corporate governance system comprises different committees supporting the Board of Directors with regard to matters falling within their competence, and according to the specific charters of each committee. For this purpose, a coordinated work scheme between these corporate bodies has been established.

In terms of risks, the Board of Directors has reserved those powers referred to determining the risk control and management policy and the supervision and control of its implementation.

In addition, and for an adequate performance of its duties, the Board of Directors is assisted by the Risk and Compliance Committee (“CRC”), on the issues detailed below, and by the Executive Committee (“CDP”), which is focused on the strategy, finance and business functions of the Group, for the purposes of which it monitors the risks of the Group.

The involvement of the corporate bodies of BBVA in the control and management of the risks of the Group is detailed below:

• Board of Directors
• The Board of Directors is responsible for establishing the risk strategy of the Group and, in this role, it determines the risks management and control policy, through the following documents:
• o The Risk Appetite Framework of the Group, which includes in the one hand the risk appetite statement of the Group, that is, the general principles governing the risk strategy of the Group and its target profile; and, on the other hand, and based on the above mentioned risk appetite statement, a set of quantitative metrics (core metrics, and their corresponding statements, and by type of risk metrics), reflecting the risk profile of the Group;
• o The framework of management policies of the different types of risk to which the Bank is, or could be, exposed. They contain the basic lines for a consistent management and control of risks throughout the Group, and consistent with the Risk Appetite Framework and the Model; and
• The model.
• All of the above in coordination with the rest of prospective-strategic decisions of the Bank, which includes the Strategic Plan, the Annual Budget, the Capital Plan and the Liquidity & Funding Plan, in addition to the rest of management objectives, whose approval is a responsibility of the Board of Directors.
• In addition to defining the risk strategy, the Board of Directors, in the performance of its risks monitoring, management and control tasks, also monitors the evolution of the risks of the Group and of each main business and/or geographical area, ensuring compliance with the Risk Appetite Framework of the Group; and also supervising the internal information and control systems.
• For the development of all these functions, the Board of Directors is supported by the CRC and the CDP, which are responsible for the functions detailed below.
• Risk and Compliance Committee
• The CRC is, according to its own charter, composed of non-executive directors and its main purpose is to assist the Board of Directors on the establishment and monitoring of the risk control and management policy of the Group.
• For this purpose, it assists the Board of Directors in a variety of risk control and monitoring areas, in addition to its analysis functions, based on the strategic pillars established by the Board of Directors and the CDP, the proposals on the risk management, control and strategy of the Group, which are particularly specified in the Risk Appetite Framework and in this Model. After the analysis, the Risk Appetite Framework and Model proposal is submitted to the Board of Directors for consideration and, where appropriate, approval purposes.
• In addition, the CRC proposes, in a manner consistent with the Risk Appetite Framework of the Group approved by the Board of Directors, the management and control policies of the different risks of the Group, and supervises the internal control and information systems.
• With regard to the monitoring of the evolution of the risks of the Group and their degree of compliance with the Risk Appetite Framework and defined general policies, and without prejudice to the monitoring task carried out by the Board of Directors and the CDP, the CRC carries out monitoring and control tasks with greater frequency and receives information with a sufficient granularity to achieve an adequate performance of its duties.
• The CRC also analyzes all measures planned to mitigate the impact of all identified risks, should they materialize, which must be implemented by the CDP or the Board of Directors, as the case may be.
• The CRC also monitors the procedures, tools and measurement indicators of those risks established at a Group level in order to have a comprehensive view of the risks of BBVA and its Group, and monitors compliance with the regulation and supervisory requirements in terms of risks.
• The CRC is also responsible for analyzing those project-related risks that are considered strategic for the Group or corporate transactions that are going to be submitted to the Board of Directors of the CDP, within its scope of competence.
• In addition, it contributes to the setting of the remuneration policy, checking that it is compatible with an appropriate and efficient management of risks and that it does not provide incentives to take risks breaching the level tolerated by the Bank.
• Lastly, the CRC ensures the promotion of the risk culture in the Group.
• Executive Committee (CDP)
• In order to have a complete and comprehensive view of the progress of the businesses of the Group and its business units, the CDP monitors the evolution of the risk profile and the core metrics defined by the Board of Directors, being aware of any potential deviation or breach of the metrics of the Risk Appetite Framework and implementing, when applicable, the appropriate measures, as explained in the Model.
• In addition, the CDP is responsible for proposing the basis for developing the Risk Appetite Framework, which will be established in coordination with the rest of prospective/strategic decisions of the Bank and the rest of management objectives.
• Lastly, the CDP is the committee supporting the Board of Directors in decisions related to business risk and reputational risk, according to the dispositions set out in its own charter.

Chief Risk Officer of the Group

The Group’s Chief Risk Officer (CRO) is responsible for the management of all the financial risks of the Group with the necessary independence, authority, rank, experience, knowledge and resources. The CRO is appointed by the Board of Directors of BBVA and has direct access to its corporate bodies (Board of Directors, CDP and CRC), with the corresponding regular reporting on the risk situation in the Group.

The GRM area has a responsibility as the unit transversal to all the businesses of the BBVA Group. This responsibility is part of the structure of the BBVA Group, which is formed by subsidiaries based in different jurisdictions, which have autonomy and must comply with their local regulation, but always according to the risk management and control scheme designed by BBVA as the parent company of the BBVA Group.

The Chief Risk Officer of the BBVA Group is responsible for ensuring that those risks of the BBVA Group within the scope are managed according to the established model, assuming, among other, the following responsibilities:

• Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the risk strategy of the BBVA Group, which includes the Risk Appetite statement of the BBVA Group, core (and their respective statements) and by type of risk metrics, and the Model.
• Define, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the general policies for each type of risk within its scope of responsibility and, as part these, to establish the required specific regulation.
• Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose for approval, or approving if within its competence, the risk limits for the geographies, business areas and/or legal entities, which shall be consistent with the defined Risk Appetite Framework; it is also responsible for the monitoring, supervision and control of risk limits within its scope of responsibility.
• Submit to the Risk and Compliance Committee the information required to carry out its supervisory and control functions.
• Regular reporting to the corresponding corporate bodies on the situation of those risks of the BBVA Group within its scope of responsibility.
• Identify and assess the material risks faced by the BBVA Group within its scope of responsibility, with an effective management of those risks and, where necessary, with the implementation of the required mitigation measures.
• Early warning to the relevant corporate bodies and the Chief Executive Officer of any material risk within its scope of responsibility that could compromise the solvency of the BBVA Group.
• Ensure, within its scope of responsibility, the integrity of measurement techniques and management information systems and, in general, the provision of models, tools, systems and resources to implement the risk strategy defined by the corporate bodies.
• Promote the risk culture of the BBVA Group to ensure the consistency of the Model in the different countries where it operates, strengthening the cross-cutting model of the risks function.

For decision-making purposes, the Chief Risk Officer of the Group has a governance structure for the function that culminates in a support forum, the Global Risk Management Committee (GRMC). This committee is the main executive committee for those risks within its competence, and its main purpose is the development of the strategies, policies, regulation and infrastructure required for identifying, assessing, measuring and managing those material risks within its scope of responsibility faced by the Group. This committee is composed by the Chief Risk Officer, who chairs the meetings, and the heads of the GRM corporate disciplines of the Risk Management Group, the four most relevant geographical risk areas, CIB, South America and Risk Internal Control. The purpose of the GRMC is to propose and challenge, among other issues, the internal regulatory framework of GRM and the infrastructures required to identify, assess, measure and manage the risks faced by the Group in carrying out its businesses and to approve risk limits.

The GRMC carries out its functions assisted by various support committees which include:

• Global Credit Risk Management Committee: It is responsible for analyzing and decision-making related to wholesale credit risk admission.
• Wholesale Credit Risk Management Committee: its purpose is the analysis and decision-making regarding the admission of wholesale credit risk of certain customer segments of the BBVA Group.
• Work Out Committee: its purpose is to be informed about decisions taken under the delegation framework regarding risk proposals concerning clients on Watch List and clients classified as NPL or written-off of certain customer segments of the BBVA Group, as well the sanction of proposals regarding entries, exits and changes of Watch List, entries and exits in non-performing unlikely to pay and turns to written off, as well as the approval of other proposals that must be seen in this Committee according to the established thresholds and criteria.
• Asset Allocation Committee: The executive authority responsible for managing the limits by asset class for credit risk, equities and real estate not for own use and by business area and at group level established in the Asset Allocation limits planning exercise, which aims to achieve an optimal combination and composition of portfolios under the restrictions imposed by the Risk Appetite Framework (“RAF”), which allows maximizing the risk-adjusted return on regulatory and economic capital when appropriate. Additionally, it takes into account the concentration and credit quality objectives of the portfolio, as well as the prospects and strategic needs of the Bank.
• Risk Models Management Committee: It ensures an appropriate decision-making process regarding the planning, development, implementation, use, validation and monitoring of the models required to achieve an appropriate management of the Model Risk in the BBVA Group.
• Global Markets Risk Unit Global Committee: It is responsible for formalizing, supervising and communicating the monitoring of trading desk risk in all the Global Markets business units, as well as coordinating and approving GMRU key decisions activity, and developing and proposing to GRMC the corporate regulation of the unit.
• Retail Credit Risk Committee: It ensures for the analysis, discussion and decision support on all issues regarding the retail credit risk management that impact or potentially do in the practices, processes and corporate metrics established in the Policies, Rules and Operating Frameworks.
• Asset Management Global Risk Steering Committee: its purpose is to develop and coordinate the strategies, policies, procedures, and infrastructure necessary to identify, assess, measure and manage the material risks facing the bank in the operation of businesses linked to BBVA Asset Management.
• Global Insurance Risk Committee: its purpose is to serve as the basis for the development of the risk management model and the monitoring of the insurance companies of the BBVA Group by developing and coordinating the strategies, policies, procedures and infrastructure necessary to identify, evaluate, measure, monitor and manage the material risks faced by insurance companies.
• COPOR: its purpose is to analyze and make decision in relation to the operations of the various geographies in which Global Markets is present.

Additionally, the Corporate Committee for Admission of Operational Risk and Product Governance (CCAROyGP) aims to ensure the adequate evaluation of initiatives with significant operational risk (new business, product, outsourcing, process transformation, new systems, etc.) from the perspective of operational risk and approval of the proposed control environment

Risk units of the corporate area and the business/geographical areas

The risks function is comprised of risk units from the corporate area, which carry out cross-cutting functions, and of risk units of the geographical/business areas.

• The risk units of the corporate area develop and submit to the Group’s Chief Risk Officer (CRO) the different elements required to define the proposal for the Group's Risk Appetite Framework, the general policies, regulation and global infrastructures within the operating framework approved by corporate bodies; they ensure their application and report directly or through the Group’s Chief Risk Officer (CRO) to the corporate bodies of BBVA. With regard to non-financial risks and reputational risk, which are entrusted to the Regulation & Internal Control and Communications & Responsible Business areas respectively, the corporate units of GRM will coordinate, with the corresponding corporate units of those areas, the development of the elements that should be integrated into the Appetite Framework of the Group.
• The risk units of the business and/or geographical areas develop and submit to the Chief Risk Officer of the geographical and/or business areas the Risk Appetite Framework proposal applicable in each geography and/or business area, independently and always according to the Group's Risk Appetite Framework. In addition, they ensure the application of general policies and rules with the necessary adaptations, when applicable, to local requirements, providing the appropriate infrastructures for risk management and control purposes, within the global risk infrastructure framework defined by the corporate areas, and reporting to the corresponding corporate bodies and senior management, as applicable. With regard to Non-financial risks, which are integrated in the Regulation & Internal Control area, the local risk units will coordinate, with the unit responsible for those risks, the development of the elements that should be integrated into the local Risk Appetite Framework.

Thus, the local risk units work with the risk units of the corporate area with the aim of adapting themselves to the risk strategy at Group level and pooling all the information required to monitor the evolution of their risks.

As previously mentioned, the risks function has a decision-making process supported by a structure of committees, and also a top-level committee, the GRMC, whose composition and functions are described in section “Corporate Bodies of BBVA”.

Each geographical and/or business area has its own risk management committee(s), with objectives and contents similar to those of the corporate area. These committees perform their duties consistently and in line with corporate risk policies and rules, and its decisions are reflected in the corresponding minutes.

Under this organizational scheme, the risks function ensures the integration and application throughout the Group of the risk strategy, the regulatory framework, the infrastructures and standardized risk controls. It also benefits from the knowledge and proximity to customers in each geographical and/or business area, and conveys the corporate risk culture to the Group's different levels. Moreover, this organization enables the risks function to conduct and report to the corporate bodies an integrated monitoring and control of the risks of the entire Group.

Chief Risk Officers of geographical and/or business areas

The risks function is cross-cutting, i.e. it is present in all of the Group's geographical and/or business areas through specific risk units. Each of these units is headed by a Chief Risk Officer for the geographical and/or business area who, within the relevant scope of responsibility, carries out risk management and control functions and is responsible for applying the Model, the general policies and corporate rules approved at Group level in a consistent manner, adapting them if necessary to local requirements and with the subsequent reporting to local corporate bodies.

The Chief Risk Officers of the geographical and/or business areas have functional reporting to the Group's Chief Risk Officer and hierarchical reporting to the head of their geographical and/or business area. This dual reporting system aims to ensure the independence of the local risks function from the operating functions and enable its alignment with the Group's corporate policies and goals related to risks.

Risk Internal Control

The Group has a specific Risk Internal Control unit, within the Regulation & Internal Control area, that, among other tasks, independently challenges and control the regulation and governance structure in terms of financial risks and its implementation and deployment in GRM, in addition to the challenge of the development and implementation of financial risks control and management processes. In addition, it is also responsible for validating the risk models.

For this purpose, it has 3 subunits: RIC-Processes, Risks Technical Secretariat and Risk Internal Validation.

• RIC-Processes. It is responsible for challenging an appropriate development of the functions of GRM units, and for reviewing that the functioning of financial risks management and control processes is appropriate and in line with the corresponding regulation, identifying potential opportunities for improvement and contributing to the design of the action plans to be implemented by the responsible units. In addition, it is the Risk Control Specialist (RCS) in the Group's Internal Control Model and, therefore, establishes the frameworks for mitigating and controlling the risks for which it is responsible.
• Risks Technical Secretariat. It is responsible for the definition, design and management of the principles, policies, criteria and processes through which the regulatory risk framework is developed, processed, reported and disclosed to the countries; and for the coordination, monitoring and assessment of its consistency and completeness. In addition, it coordinates the definition and structure of the most relevant GRM Committees, and monitors their proper functioning, in order to ensure that all risk decisions are taken through an adequate governance and structure, ensuring their traceability. It also provides to the CRC the technical support required in terms of financial risks for a better performance of its functions.
• Risk Internal Validation. It is responsible for validating the risks models. In this regard, it effectively challenges the relevant models used to manage and control the risks faced by the Group, as an independent third party from those developing or using the models in order to ensure its accuracy, robustness and stability. This review process is not restricted to the approval process, or to the introduction of changes in the models, but it is a plan to make a regular assessment of those models, with the subsequent issue of recommendations and actions to mitigate identified weaknesses.

The Head of Risk Internal Control of the Group is responsible for the function and reports about his activities and work plans to the Head of Regulation & Internal Control and to the CRC, with the corresponding support in the issues required, and, in particular, challenging that GRM’s reports submitted to the Committee are aligned with the criteria established at the time.

In addition, the risk internal control function is global and transversal, it includes all types of financial risks and has specific units in all geographical and/or business areas, with functional reporting to the Head of Risk Internal Control of the Group.

The Risk Internal Control function must ensure compliance with the general risks strategy defined by the Board of Directors, with adequate proportionality and continuity. In order to comply with the control activity within its scope. Risk Internal Control is member of GRM’s top-level committees (sometimes even assuming the Secretariat role), independently challenging the decisions that may be taken and, specifically, the decisions related to the definition and application of internal risk regulation.

Furthermore, the control activity is developed within a homogeneous methodological framework at a Group level, covering the entire life cycle of financial risks management and carried out under a critical and analytical approach.

The Risk Internal Control team reports the results of its control function to the corresponding heads and teams, promoting the implementation of corrective measures and submitting these assessments and the resolution commitments in a transparent manner to the established levels.

Lastly, and notwithstanding the control responsibility that GRM teams have in the first instance, Risk Internal Control teams promote a control culture in GRM, conveying the importance of having robust processes.

Risk Appetite Framework

Elements and development

The Group's Risk Appetite Framework approved by the corporate bodies determines the risks and the risk level that the Group is willing to assume to achieve its business objectives considering the organic evolution of business. They are expressed in terms of solvency, liquidity and funding and profitability and income recurrence, which are reviewed periodically and in case of material changes in the business strategy or relevant corporate transactions.

The Risk Appetite Framework is expressed through the following elements:

• Risk Appetite Statement: sets out the general principles of the Group's risk strategy and the target risk profile:
• The BBVA Group develops a multichannel and responsible universal banking business model, based on values, committed to sustainable development and centered on our customers’ needs, focusing on operational excellence and the preservation of adequate security and business continuity.
• BBVA intends to achieve these goals while maintaining a moderate risk profile, so the risk model established aims at ensuring a robust financial position, facilitating its commitment with sustainability and obtaining a sound risk-adjusted profitability throughout the cycle, as the best way to face adverse environments without jeopardizing its strategies .
• Risk Management at BBVA is based on prudent management, an integral view of all risks, a portfolio diversification by geography, asset class and client segment and keeping a long-term relationship with the client, accompanying him in the transition to a sustainable future, to guarantee profitable growth and generation of recurring value.
• Statements and core metrics: based on the appetite statement, statements are established that specify the general principles of risk management in terms of solvency, liquidity and funding and profitability and income recurrence. Moreover, the core metrics reflect, in quantitative terms, the principles and the target risk profile set out in the Risk Appetite statement. Each core metric has three thresholds ranging from usual management of the businesses to higher levels of impairment:
• Management reference: reference that determines a comfortable management level for the Group.
• Maximum appetite: maximum level of risk that the Group is willing to accept in its ordinary activity.
• Maximum capacity: maximum risk level that the Group could assume which, for some metrics, is associated with regulatory requirements.
• Statements and metrics by type of risk: based on the core metrics and their thresholds for each type of risk, statements are established that set out the general management principles for that risk and a number of metrics are determined, whose observance enables compliance with the core metrics and the Group's Risk Appetite statement. These metrics have a maximum risk appetite threshold.

In addition to this Framework, there is a level of management limits that is defined and managed by the areas responsible for the management of each type of risk in the development of the structure of metrics by type of risk, in order to ensure that the early management of risks complies with that structure and, in general, with the established Risk Appetite Framework.

Each significant geographical area (e.g those representing more than 1% of the assets or operating income of the BBVA Group) has its own Risk Appetite framework, consisting of its local Risk Appetite statement, core metrics and statements, metrics and statements by type of risk, which must be consistent with those set at the Group level, but adapted to their own reality. These are approved by the corresponding corporate bodies of each entity. This Appetite Framework is deployed through a structure of limits consistent with the above.

The corporate risks area works with the various geographical and/or business areas to define their Risk Appetite Framework, so that it is coordinated with, and integrated into, the Group's Risk Appetite Framework, making sure that its profile is in line with the one defined. Moreover, and for the purposes of monitoring at local level, the Chief Risks Officer of the geographical and/or business area regularly reports on the evolution of the metrics of the Local Risk Appetite Framework to the corporate bodies, as well as to the relevant top-level local committees, following a scheme similar to that of the Group, in accordance with its own corporate governance systems.

Within the issuing process of the Risk Appetite Framework, Risk Internal Control carries out, within the scope of the GRM area (the GRMC), the effective challenge of the Framework proposal prior to its escalation to corporate bodies, which is also documented, and it is extended to the approval of the management limits under which it is developed, also supervising its adequate approval and extension to the different entities of the Group.

Monitoring of the Risk Appetite Framework and management of breaches

So that corporate bodies can develop the risk functions of the Group, the heads of risks at an executive level will regularly report (or more frequently in the case of the CRC, within its scope of responsibility) on the evolution of the metrics of the Risk Appetite Framework of the Group, with the sufficient granularity and detail, in order to check the degree of compliance of the risks strategy set out in the Risk Appetite Framework of the Group approved by the Board of Directors.

If, through the monitoring of the metrics and supervision of the Risk Appetite Framework by the executive areas, a relevant deviation or breach of the maximum appetite levels of the metrics is identified, that situation must be reported and, where applicable, the corresponding corrective measures must be submitted to the CRC.

After the relevant review by the CRC, the deviation must be reported to the CDP –as part of its role in the monitoring of the evolution of the risk profile of the Group– and to the Board of Directors, which will be responsible, when applicable, for implementing the corresponding executive measures. For this purpose, the CRC will submit to the corresponding corporate bodies all the information received and the proposals prepared by the executive areas, together with its own analysis.

Notwithstanding the foregoing, once the information has been analyzed and the proposal of corrective measures has been reviewed by the CRC, the CDP may adopt, on grounds of urgency and under the terms established by law, measures corresponding the Board of Directors, but always reporting those measures to the Board of Directors in the first meeting held after the implementation for ratification purposes.

In any case, an appropriate monitoring process will be established –with a greater information frequency and granularity, if required– regarding the evolution of the breached or deviated metric, and the implementation of the corrective measures, until it has been completely redressed, with the corresponding reporting to corporate bodies, in accordance with its risks monitoring, supervision and control functions.

Integration of the Risk Appetite Framework into the management

The transfer of the Risk Appetite Framework to ordinary management is underpinned by three basic elements:

• The existence of a consistent regulatory framework: the corporate risks area defines and proposes the general policies within its scope of action, and develops the additional internal regulation required for the development of those policies and the operating frameworks on the basis of which risk decisions must be adopted within the Group. The approval of the general policies for all types of risks is a responsibility of the corporate bodies of BBVA, while the rest of regulation is defined at an executive level according to the framework of competences applicable at any given time. The Risks units of the geographical and/or business areas comply with this regulation and performing, where necessary, the relevant adaptation to local requirements, in order to have a decision-making process that is appropriate at local level and aligned with the Group's policies.
• Risk planning, which ensures the integration into the management of the Risk Appetite Framework through a cascade process established to set limits adjusted to the target risk profile. The Risks units of the corporate area and of the geographical and/or business areas are responsible for ensuring the alignment of this process with the Group's Risk Appetite Framework in terms of solvency, liquidity and funding and profitability and income recurrence.
• A comprehensive management of risks during their life cycle, based on differentiated treatment according to their type.

Assessment, monitoring and reporting

Assessment, monitoring and reporting is a cross-cutting function at Group level. This function ensures that the model has a dynamic and proactive vision to enable compliance with the Risk Appetite Framework approved by the Board of Directors, even in adverse scenarios.

This process is integrated in the activity of the Risk units, both of the corporate area and in the geographical and/or business units, together with the units specialized in non-financial risks and reputational risk within the Regulation & Internal Control and Communications & Responsible Business areas respectively, in order to generate a comprehensive and single view of the risk profile of the Group.

This process is developed through the following phases:

• Monitoring of the identified risk factors that can compromise the performance of the Group or of the geographical and/or business areas in relation to the defined risk thresholds.
• Assessment of the impact of the materialization of the risk factors on the metrics that define the Risk Appetite Framework based on different scenarios, including stress testing scenarios.
• Response to unwanted situations and proposals for redressing measures to the corresponding levels, in order to enable a dynamic management of the situation, even before it takes place.
• Monitoring the Group's risk profile and the identified risk factors, through internal, competitor and market indicators, among others, to anticipate their future development.
• Reporting: complete and reliable information on the evolution of risks to corporate bodies and senior management, with the frequency and completeness appropriate to the nature, significance and complexity of the reported risks. The principle of transparency governs all the risk information reporting process.

Infrastructure

For the implementation of the Model, the Group has the resources required for an effective management and supervision of risks and for achieving its goals. In this regard, the Group's risks function:

• Has the appropriate human resources in terms of number, ability, knowledge and experience. The profile of resources will evolve over time based on the specific needs of GRM and Regulation & Internal Control, always with a high analytical and quantitative capacity as the main feature in the profile of those resources. Likewise, the corresponding units of the geographical and/or business areas ensure they have sufficient means from the resources, structures and tools perspective in order to achieve a risk management process aligned with the corporate model.
• Develops the appropriate methodologies and models for the measurement and management of the different risk profiles, and the assessment of the capital required to take those risks.
• Has the technological systems required to: support the Risk Appetite Framework in its broadest definition; calculate and measure the variables and specific data of the risk function; support risk management according to this Model; and provide an environment for storing and using the data required for risk management purposes and reporting to supervisory bodies.
• Promotes an adequate data governance to ensure solid quality standards in the processes aligned with the relevant internal regulation.

Within the risk functions, both the profiles and the infrastructure and data shall have a global and consistent approach.

The human resources among the countries must be equivalent, ensuring a consistent operation of the risk function within the Group. However, they will be distinguished from those of the corporate area, as the latter will be more focused on the conceptualization of appetite frameworks, operating frameworks, the definition of the regulatory framework and the development of models, among other tasks.

As in the case of the human resources, technological platforms must be global, thus enabling the implementation of the risk appetite framework and the standardized management of the risk life cycle among all countries.

The corporate area is responsible for deciding on the platforms and for defining the knowledge and roles of the human resources. It is also responsible for defining risk data governance.

The foregoing is reported to the corporate bodies of BBVA so they can ensure that the Group has the appropriate means, systems, structures and resources.

Credit risk

The local authorities of the countries in which the Group operates have initiated economic support measures including the granting of relief measures in terms of temporary payments deferrals for customers affected by the pandemic, as well as the granting of loans, especially to companies and SMEs, with public guarantees. The amount of current payment deferrals granted by the Group was €6,803m at December 31, 2020.

These measures are supported by the rules issued by the authorities of the geographical areas where the Group operates as well by certain industry agreements and should help to ease the temporary liquidity needs of the customers. The classification of the customers’ credit quality and the calculation of the expected credit loss, once the credit quality of those customers have been reviewed under the new circumstances, will depend on the effectiveness of these relief measures. In any case, the incorporation of public guarantees is considered to be a mitigating factor in the estimation of the expected credit losses.

For the purposes of classifying exposures based on their credit risk, the Group has maintained a rigorous application of IFRS9 at the time of the granting of the moratoriums and has reinforced the procedures to monitor credit risk both during their validity and upon their expiration. In this sense, additional indicators have been introduced to identify the significant increase in risk that may have occurred in some operations or a set of them and, where appropriate, proceed to its classification in the corresponding risk stage.

Likewise the indications provided by the European Banking Authority (EBA) have been taken into account to not consider refinancing the moratoriums that meet a series of requirements, without prejudice to keeping the exposure classified in the corresponding risk stage or its consideration as refinancing if it was previously so qualified.

In relation to the payment deferrals for customers affected by the pandemic, and with the goal of mitigating as much as possible the impact of these measures in the Group, due to the high concentration of its maturities over time, BBVA has worked on an anticipation plan based on some basic lines of action, supported by the following pillars:

• Diagnose: portfolio segmentation.
• Strategy: value offering and action protocols by segment.
• Operationality: equipment and channel sizing.

These lines of action have made it possible to advance the management actions to be carried out with customers according to their level of involvement and local legislation.

Calculation of expected losses due to credit risk

To respond to the circumstances generated by the global COVID-19 pandemic in the macroeconomic environment, characterized by a high level of uncertainty regarding its intensity, duration and speed of recovery, forward-looking information has been updated in the IFRS 9 models to incorporate the best information available at the date of publication of this report. The estimation of the expected losses has been calculated for the different geographical areas in which the Group operates, with the best information available for each of them, considering both the macroeconomic perspectives and the effects on specific portfolios, sectors or specific accredited. The scenarios used consider the various economic measures that have been announced by governments as well as monetary, supervisory and macroprudential authorities around the world. However, the final magnitude of the impact of this pandemic on the Group's business, financial situation and results, which could be material, will depend on future and uncertain events, including the intensity and persistence over time of the consequences derived from the pandemic in the different geographical areas in which the Group operates.

The expected losses calculated according to the methodology provided by the Group, including macroeconomic projections, have been supplemented with additional amounts that have been considered necessary to collect the particular characteristics of specific accredited sectors or portfolios and that may not be identified in the general process. Of the complementary amounts recognized throughout the year, at the end of 2020 there remains a €244m pending allocation to specific accredited portfolios, mainly in Spain and to a lesser extent in the United States.

These lines show the evolution of the exposure of corporate banking clients to the sectors that have been considered most vulnerable in the COVID-19 pandemic environment:

EXPOSURE AT DEFAULT TO MOST VULNERABLE SECTORS (MILLIONS OF EUROS)

Credit risk indicators of the BBVA Group

BBVA Group's main risk indicators evolved during 2020 as described below, as a result, among other reasons, of the situation generated by the pandemic:

• Credit risk decreased by 4.6% (up 1.8% at constant exchange rates) during 2020. In the last quarter of the year, this metric remained almost flat, in both current and constant exchange rates, as the growth in Spain, Turkey and South America was offset by a contraction in the United States and Rest of Eurasia. Mexico’s growth in the last quarter was driven by the evolution of the exchange rate.
• The balance of non-performing loans was lower than at the end of December of the previous year, although it increased in the last quarter of the year (up 2.7% at current exchange rates, up 2.9% at constant exchange rates), mainly because of the entries into default of the retail portfolios in Mexico.
• The NPL ratio stood at 4.0% at the end of December, above the end of the previous year and the end of the third quarter.
• Loan-loss provisions fell by 1.9% in the quarter. Compared to December 2019, they were 6.1% higher due to the provisions made in the first half of the year as a result of the negative effects of COVID-19.
• The NPL coverage ratio closed at 81% from 85% in the previous quarter, due to the increase in the balance of non-performing loans and with a significant improvement of 488 basis points compared to the end of 2019.

The cumulative cost of risk at December 31, 2020 stood at 1.51%, compared to a cumulative 1.69% at the end of September and following the strong growth registered in March related to the significant increase in the loan loss allowances in the first quarter.

NON-PERFORMING LOANS AND PROVISIONS (MILLONS OF EUROS)

CREDIT RISK ⁽¹⁾ (MILLIONS OF EUROS)

NON-PERFORMING LOANS EVOLUTION (MILLIONS OF EUROS)

Market risk

For futher information, see Note 7.4 of the Consolidated Financial Statements.

Structural risks

Structural interest rate risk

The aim of managing interest-rate risk is to limit the sensitivity of the balance sheets to interest rate fluctuations. BBVA carries out this work through an internal procedure following the guidelines established by the European Banking Authority (EBA), which measures the sensitivity of net interest income and economic value to determine the potential impact of a range of scenarios on the Group's different balance sheets.

The model is based on assumptions intended to realistically mimic the behavior of the balance sheet. Assumptions regarding the behavior of accounts with no explicit maturity and prepayment estimates are of particular relevance. These assumptions are reviewed and adapted at least once a year to take into account any changes in behavior.

At the aggregate level, BBVA continues to maintain a moderate risk profile, in accordance with the established target, showing a net interest income position which would be favored by an increase in interest rates. The effective management of structural balance sheet risk has allowed it to mitigate the negative impact of the downward trend in interest rates and the volatility experienced as a result of the effects of COVID-19, and is reflected in the soundness and recurrence of net interest income.

By area, the main features are:

• Spain and the United States have balance sheets characterized by a high proportion of variable-rate loans in the loan portfolio (basically mortgages in Spain and corporate lending in both countries) and liability composed mainly of customer deposits. The ALCO portfolios act as hedging for the bank's balance sheet, mitigating its sensitivity to interest rate fluctuations. The profile of both balance sheets has remained stable during 2020. In Spain the sensitivity of the net interest income has increased in the year due the higher volume of sensitive balances (liquid short-term assets) as a result of the liquidity generated by the balance and the additional TILTRO III financing, as well as the maturity of a part of the mortgage portfolio coverage.
• In addition, following a slightly downward trend at the start of the year for European benchmark interest rates (Euribor), there was a rebound of around 20–30 basis points (depending on the maturity) in mid-March. This was a result of an adjustment in expectations after the ECB held the marginal deposit facility rate at -0.50% when the market had discounted a fall, and an increase in the required credit spread in the light of the COVID-19 crisis. However, since May, Euribor has fallen between -35 and -45 basis points, reaching record lows, mainly due to the easing of credit spreads and the ECB's monetary stimulus measures. In the United States, base rates (Libor) have maintained a downward trend during the year (falling around 165 basis points in the main terms), in line with the Fed's rate cuts in the first quarter of the year.
• Mexico continues to show stability between the balance sheet items benchmarked at fixed and variable interest rates. In terms of assets that are most sensitive to interest rate fluctuations, the corporate portfolio stands out, while consumer loans and mortgages are mostly at a fixed rate. The ALCO portfolio is used to neutralize the longer duration of customer deposits. The sensitivity of net interest income continues to be limited and stable in 2020, considering the new interest rate scenario that emerged in March, with a downward trend in benchmark rates throughout 2020 compared to expectations at the beginning of the year. In this regard, the monetary policy rate at the end of December stood at 4.25%, which has meant a reduction of -300 basis points during 2020.
• In Turkey, the interest-rate risk (broken down into Turkish lira and US dollars) is limited. In terms of assets, the sensitivity of lending, which is mostly fixed-rate, but with relatively short maturities, and the ALCO portfolio, including inflation-linked bonds, are balanced by the sensitivity of deposits on the liability side, which are repriced in the short term. The sensitivity of net interest income on the currency balance sheets increased due to the establishment of the asset ratio in the second quarter of 2020. In relation to the benchmark rates, the strong increase since August reverted the decreases of the previous quarters, ending the year with an increase of 500 basis points above the level of December 2019.
• In South America, the risk profile for interest rates remains low as most countries in the area have a fixed/variable composition and maturities that are very similar for assets and liabilities, with a low and small variations net interest income sensitivity throughout 2020. In addition, in balance sheets with several currencies, interest-rate risk is managed for each of the currencies, showing a very low level of risk. The measures promoted by central banks have helped the downward trend of the benchmark interest rates (-250 basis points in Colombia and -200 basis points in Peru during the year) at minimum levels below that expected at the beginning of the year.

Structural foreign exchange rate risk

Foreign exchange risk management of BBVA's long-term investments, principally stemming from its overseas franchises, aims to preserve the Group's capital adequacy ratio and ensure the stability of its income statement.

BBVA has maintained its policy of actively hedging its main investments in emerging markets, covering on average between 30% and 50% of annual earnings and around 70% of the CET1 capital ratio excess. Based on this policy, the sensitivity of the CET1 ratio to a depreciation of 10% against the euro of the main emerging-market currencies stood at -5 basis points for the Mexican peso and -2 basis points for the Turkish lira. In the case of the US dollar, the sensitivity to a depreciation of 10% against the euro is approximately +9 basis points. The transactional foreign currency risk associated with the sale of the subsidiary in the United States is managed in a way to minimize negative impacts at the level of net profit and capital ratio (after sales). At the end of December, the coverage level for expected earnings for 2021 was at levels close to 50% in the case of Turkey, 40% for Mexico, 50% for Peru and 40% for Colombia.

Structural equity risk

For futher information, see Note 7.3 of the Consolidated Financial Statements.

Liquidity and funding risk

Management of liquidity and funding at BBVA aims to finance the recurring growth of the banking business at suitable maturities and costs, using a wide range of instruments that provide access to a large number of alternative sources of financing. In this context, it is important to notice that, given the nature of BBVA's business, the funding of lending activity is fundamentally carried out through the use of stable customer funds.

Due to its subsidiary-based management model, BBVA is one of the few major European banks that follows the Multiple Point of Entry (MPE) resolution strategy: the parent company sets the liquidity policies, but the subsidiaries are selfsufficient and responsible for managing their own liquidity (taking deposits or accessing the market with their own rating), without fund transfers or financing occurring between either the parent company and the subsidiaries or between the different subsidiaries. This strategy limits the spread of a liquidity crisis among the Group's different areas, and ensures that the cost of liquidity and financing is correctly reflected in the price formation process.

During of 2020, liquidity conditions have remained comfortable across all countries in which the BBVA Group operates. Since the beginning of March, the global crisis caused by COVID-19 had a significant impact on financial markets. The initial effects of this crisis on the Group's balance sheets have fundamentally been felt through increased drawdown of credit facilities by wholesale customers in the face of worsening funding conditions in the markets, with no significant effect in the retail world. These drawdowns were largely returned throughout the following quarters. Given this initial uncertainty, the different central banks provided a joint response through specific measures and programs to facilitate the funding of the real economy and the provision of liquidity in the financial markets, increasing liquidity buffers in almost all geographical areas.

BBVA Group maintains a solid liquidity position in every geographical area with liquidity ratios comfortably above the minimum required:

The BBVA Group's liquidity coverage ratio (LCR) remained significantly above 100% during 2020 and stood at 149% as of December 31, 2020. For the calculation of this ratio, it is assumed that there is no transfer of liquidity among subsidiaries; i.e. no kind of excess liquidity levels in foreign subsidiaries are considered in the calculation of the consolidated ratio. When considering these excess liquidity levels, the BBVA Group's LCR would stand at 185%.

The Net Stable Funding Ratio (NSFR), defined as the ratio between the amount of stable funding available and the amount of stable funding required, is one of the Basel Committee's essential reforms, whose transposition under CRR II will become effective in June 2021, and requires banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet activities. This ratio should be at least 100% at all times. At the BBVA Group, the NSFR, calculated according to the Basel requirements, stood at 127% as of December 31, 2020.

These ratios in the main geographical areas in which the Group operates are shown below:

LCR AND NSFR RATIOS (PERCETANGE. 31-12-20)

The most relevant aspects related to the main geographical areas are the following:

• In the Eurozone, BBVA’s liquidity situation remains comfortable with a high quality ample liquidity buffer that has been strengthened during the year as a result of the management measures implemented and the actions of the European Central Bank (ECB) which have led to an increase of liquidity in the system. In the wake of the COVID-19 crisis, there was initially a higher demand for lending through increased drawdowns of credit facilities by the Corporate & Investment Banking wholesale business, which was also accompanied by growth in customer deposits. Subsequently, in the following of the year there were partial repayments of the aforementioned drawdowns, while deposits have continued to grow. In addition, it is important to mention the measures implemented by the ECB in order to face the crisis, which have included different actions, such as: the expansion of asset purchase programs, in particular through the Pandemic Emergency Purchase Programme (PEPP) for €750,000m in a first tranche announced in March extended with a second tranche for a further €600,000m until June 2021, or until the ECB considers the crisis to be over and with a third tranche for €500,000m until at least the end of March 2022 ; the coordinated action by Central Banks for the provision of US dollars; a package of temporary collateral easing measures affecting eligibility for use in funding operations and the easing and improvement of the conditions for the TLTRO III program and the creation of the new program of long-term , refinancing operations without specific emergency objective (Pandemic emergency longer-term refinancing operations, PELTRO). In March and June, BBVA took part in the TLTRO III liquidity windows (with an amount drawn at the end of December of €35,032m) due to its favorable cost and maturity conditions, and repaid the corresponding part of the TLTRO II program.
• BBVA USA also maintains a strong liquidity buffer consisting of high-quality assets, which has been strengthened during 2020. As in the Eurozone, there was an increase in loans toward the end of the first quarter of 2020, mainly due to a rise in the drawing down of credit facilities by wholesale customers and the US government's stimulus program for SMEs and self-employed workers (Paycheck Protection Program). In the following quarters, there were repayments that have now brought the credit facility usage percentage back to pre-pandemic levels. In addition, deposits have grown very significantly during the year, reflecting the high level of liquidity in the system as a result of the stimulus programs established by the government and the Fed.
• At BBVA Mexico, the liquidity position has remained strong during 2020. Following the COVID-19 crisis, the lending gap increased in the first quarter of the year due to increased drawdowns of credit facilities. However in the second quarter, the success of the commercial actions and the normalization of lending growth led to a reduction in the lending gap compared to December 2019 levels. During the third and fourth quarter of the year, the reduction in the lending gap has been exacerbated, driven by a reduction in loans and a growth in deposits, despite the progressive ending of the commercial policies implemented to attract deposits, creating a comfortable position in liquidity ratios. Regarding the measures taken by Banxico over the year, in addition to reducing the monetary policy rate, it announced a reduction in the Monetary Regulation Deposit and the start of auctions of US dollars with credit institutions (swap line with the Fed) in which BBVA Mexico participated in April, in the amount of USD 1,250m, partially renewing that position from June to September for USD 700m. Likewise, it has participated in the Banxico 7 and 8 facilities (measures to direct funds to micro, small and medium-sized companies, as well as individuals affected by the pandemic).
• At Garanti BBVA, the liquidity situation remained comfortable during the 2020, with a contraction of loans and a growth of deposits in foreign currency, as well as higher growth of loans than deposits in local currency. As a result of the COVID-19 crisis, an increase in collateral requirements was seen due to the credit risk in Turkey (Credit Default Swaps) to cover derivative valuations and wholesale funding. Moreover, Turkey's regulator established the so-called asset ratio to encourage banks, to increase lending and avoid the accumulation of deposits, which caused an increase in the lending gap. This was covered by the bank's excess liquidity. Later, the asset ratio requirement was reduced in the third quarter (from 100% to 90%) and it was eliminated in December. In the face of contractionary policies, The Central Bank of the Republic of Turkey (CBRT) increased the reserve requirement rates, and during the second semester of the year the cost of lending and the base rate has progressively increased. In addition, the Credit Default Swap returns to previous levels to COVID-19 pandemic. With all this, during the year, Garanti BBVA has shown a good liquidity buffer.
• In South America, an adequate liquidity situation prevails throughout the region, helped by the support of various central banks and governments which, in order to mitigate the impact of the COVID-19 crisis, have acted by implementing measures to stimulate economic activity and provide greater liquidity in financial systems. In Argentina, US dollar deposit outflows in the banking system slowed down to show growth in the fourth quarter, although BBVA Argentina continues to maintain a strong liquidity position with comfortable liquidity ratios. In Colombia, after the adjustment of the excess liquidity carried out in the third quarter by reducing wholesale deposits, a comfortable liquidity position has been maintained, as well as BBVA Perú, where the liquidity position has been reinforced by the increase in the volume of deposits during the second quarter, as well as by the funds from the Central Bank´s support programs.

The wholesale funding markets in which the Group operates, after two months of great stability at the start of 2020, were followed by a strong correction as a result of the crisis of COVID-19 and the limited access to the primary market. This situation has been stabilizing, marked by the evolution of the pandemic, the vaccines development, various geopolitical events and the actions of Central Banks. Secondary market levels ended the year reaching January 2020 levels, while primary market volumes have been reactivating, reducing the issue premiums.

The main transactions carried out by the companies that form part of the BBVA Group in 2020 are:

• During the first quarter of 2020, BBVA, S.A. carried out two issuances of senior non-preferred debt by a total approximate amount of €1,400m and a Tier 2 issuance totaling €1,000m. In the second quarter of 2020, it issued preferred senior debt totaling €1,000m as a COVID-19 social bond, the first of its kind from a private financial institution in Europe. In the third quarter, it carried out three public issues: the first is the first green convertible bond (CoCo) ever issued by a financial institution worldwide in the amount of €1,000m; a subordinated Tier 2 debt issuance in Pounds sterling, for the amount of 300m; and the third is a preferred debt issue filed with the U.S. Securities and Exchange Commission (SEC), in two tranches over three and five years, in a total amount of USD 2,000m. On the other hand, in February 2020 a CoCo of €1,500m was amortized and in January 2020 three preferential issues were amortized in advance (For more information about these transactions, see the "Solvency" chapter of this report).
• In Mexico, a local senior issuance was successfully carried out in February for MXN 15,000m (€614m) in three tranches. Two tranches in Mexican pesos over 3 and 5 years (one for MXN 7,123m at the Interbank Equilibrium Interest Rate (TIIE) 28 + 5 basis points and another for MXN 6,000m at TIIE 28 + 15 basis points, respectively), and another tranche in US dollars over 3 years (USD 100m at 3-month Libor + 49 basis points). The purpose of this issuance was to bring forward the refinancing of maturities in the year, taking advantage of the good market conditions, as well as to strengthen the liquidity situation by offsetting the seasonal outflows of deposits in the early months of the year. In September, it carried out an international issuance of unsecured 5-year senior debt in an amount of USD 500m at a rate of 1.875%, which represents the lowest ever for a financial institution in Mexico and the lowest of any of Latin America's private financial institutions. This issue is the second under BBVA Mexico's Global Issuer Program, which has a value of up to USD 10,000m.
• In Turkey, the issues have not been fully renewed by the foreign currency gap reduction in 2020 Garanti BBVA carried out a Tier 2 issuance for TRY 750m in the first quarter. In the second quarter, Garanti BBVA partially renewed a syndicated loan of USD 699m by issuing the first green syndicated loan for a bank indexed to sustainability criteria, and in whose renovation the EBRD (European Bank for Reconstruction and Development) and the IFC (International Finance Corporation) participated. In the fourth quarter, Garanti renewed another syndicated loan, by an amount of USD 636m, in two tranches and with a maturity of 367 days (a tranche by USD 267.5m at up 2.50% Libor and another tranche by €312m at Euribor up 2.25%).
• In the United States and in South America, there have been no material issuances in 2020.

Operational Risk

BBVA defines operational risk (“OR”) as any risk that could result in losses caused by human error; inadequate or flawed internal processes; undue conduct with respect to customers, markets or the institution; failures, interruptions or flaws in systems or communications; theft, loss or wrong use of information, as well as deterioration of its quality, internal or external fraud, including in any case those derived from cyberattacks; theft or harm to assets or persons, legal risks; risks derived from staff management and labor health; and defective service provided by suppliers.

Operational risk management is oriented towards the identification of the root causes to avoid their occurrence and mitigate possible consequences. This is carried out through the establishment of mitigation plans, monitoring and the development of control frameworks aimed at minimizing resulting economic and reputational losses and their impact on the recurrent generation of results, and contributing the increase the quality, safety and availability of the provided service. Operational risk management is integrated into the global risk management structure of the BBVA Group.

This section addresses general aspects of operational risk management as the main component of non-financial risks. However, sections devoted to conduct and compliance risk and to cybersecurity risk management are also included in the non-financial information report.

Operational Risk Management Principles

The BBVA Group is committed to preferably applying advanced operational risk management models, regardless of the capital calculation regulatory model applicable at the time. Operational risk management at the BBVA Group shall:

• Be aligned with the Risk Appetite Framework ratified by the BBVA Board of Directors.
• Address BBVA's management needs in terms of compliance with legislation, regulations and industry standards, as well as the decisions or positioning of BBVA's corporate bodies.
• Anticipate the potential operational risk to which the Group may be exposed as a result of the creation or modification of products, activities, processes or systems, as well as decisions regarding the outsourcing or hiring of services, and establish mechanisms to assess and mitigate risk to a reasonable extent prior to implementation, as well as review the same on a regular basis.
• Establish methodologies and procedures to enable regular reassessment of the significant operational risk to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, once the identified risk and the cost of mitigation (cost/benefit analysis) have been considered, while safeguarding the Group's solvency at all times.
• Promote the implementation of mechanisms that support careful monitoring of all sources of operational risk and the effectiveness of mitigation and control environments, fostering proactive risk management.
• Examine the causes of any operational events suffered by the Group and establish means to prevent the same, provided that the cost/benefit analysis so recommends. To this end, procedures must be in place to evaluate operational events and mechanisms and to record the operational losses that may be caused by the same.
• Evaluate key public events that have generated operational risk losses at other institutions in the financial sector and support, where appropriate, the implementation of measures as required to prevent them from occurring at the Group.
• Identify, analyze and attempt to quantify events with a low probability of occurrence and a high impact, which by their exceptional nature may not be included in the loss database; or if they are, feature with impacts that are not very representative for the purpose of valuing possible mitigation measures.
• Have an effective system of governance in place, where the functions and responsibilities of the corporate areas and bodies involved in operational risk management are clearly defined.
• Operational risk management must be performed in coordination with management of other risk, taking into consideration credit or market events that may have an operational origin.

Operational risk control and management model

The operational risk management cycle at BBVA is similar to the one implemented for the rest of risks. Its elements are:

Operational risk management parameters

Operational risk forms part of the risk appetite framework of the Group and includes three types of metrics and limits:

• Economic capital calculated with the operational losses database of the Group and the industry, considering the corresponding diversification effects and the additional estimation of potential and emerging risks through stress scenarios designed for the main types of risks. The economic capital is regularly calculated for the main banks of the Group and simulation capabilities are available to anticipate the impact of changes on the risk profile or new potential events.
• ORI metrics (Operational Risk Indicator: operational risk losses vs. gross income) broken down by geography, business area and type of risk.
• Additionally, a more granular common scheme of metrics (indicators and limits) covering the main types of operational risk is being implemented throughout the Group. These metrics will make it possible to intensify the anticipatory management of risk and objectify the appetite to different sources.

Operational risk admission

The main purposes of the operational risk admission phase are the following:

• To anticipate potential operational risk to which the Group may be exposed due to the release of new, or modification of existing, products, activities, processes or systems, as well as purchasing decisions (e.g. outsourcing).
• To ensure that implementation and the roll out of initiatives is only performed once appropriate mitigation measures have been taken in each case, including risk assurance where deemed appropriate.

The Corporate Non-Financial Risk Management Policy sets out the specific operational risk admission framework through different committees, at a corporate and Business Area level, that follow a delegation structure based on the risk level of proposed initiatives.

Operational risk monitoring

The purpose of this phase is to check that the target operational risk profile of the Group is within the authorized limits. Operational risk monitoring considers 2 scopes:

• Monitoring the operational risk admission process, oriented towards checking that accepted risks levels are within the limits and that defined controls are effective.
• Monitoring the operational risk "stock" associated with processes. This is done by carrying out a periodic re-evaluation in order to generate and maintain an updated map of the relevant operational risks in each Area, and evaluate the adequacy of the monitoring and mitigation environment for said risks. This promotes the implementation of action plans to redirect the weaknesses detected.

This process is supported by a corporate Governance, Risk & Compliance tool that monitors OR at a local level and its aggregation at a corporate level.

In addition, and in line with the best practices and recommendations provided by the BIS, BBVA has procedures to collect the operational losses occurred in the different entities of the Group and in other financial groups, with the appropriate level of detail to carry out an effective analysis that provides useful information for management purposes and to contrast the consistency of the Group's operational risk map. To that end, a corporate tool of the Group is used.

The Group ensures continuous monitoring by each Area of the due functioning and effectiveness of the control environment, taking into consideration management indicators established for the Area, any events and losses that have occurred, as well as the results of actions taken by the second line of defense, the internal audit unit, supervisors or external auditors.

Operational risk mitigation

The Group promotes the proactive mitigation of the financial risks to which it is exposed and which are identified in the monitoring activities.

In order to rollout common monitoring and anticipated mitigation practices throughout the Group, several cross-sectional plans are being promoted related to focuses from events, lived by the Group or by the industry, self-assessments and recommendations from auditors and supervisors in different geographies, thereby analyzing the best practices and fostering comprehensive action plans to strengthen and standardize the control environment.

Insurance of operational risk

Insurance is one of the possible options for managing the operational risk to which the Group is exposed, and mainly has two potential purposes:

• Coverage of extreme situations linked to recurrent events that are difficult to mitigate or can only be partially mitigated by other means.
• Coverage of nonrecurrent events that could have significant financial impact, if they occurred.

The Group has a general framework that regulates this area, and allows systematizing risk assurance decisions, aligning insurance coverage with the risks to which the Group is exposed and reinforcing governance in the decision-making process of arranging insurance policies.

Operational risk control model

BBVA Group's operational risk governance model is based on two components:

• Three-line defense control model, in line with industry best practices, and which guarantees compliance with the most advanced operational risk internal control standards.
• Scheme of Corporate Assurance Committees and Internal Control and Operational Risk Committees at the level of the different business and support areas.

Corporate Assurance establishes a structure of committees, both local and corporate, to provide senior management with a comprehensive and homogeneous vision of the main non-financial risks and significant situations of the control environment. The aim is to support rapid decision-making with foresight, for the mitigation or assumption of the main risks.

Each geography has a Corporate Assurance Committee chaired by the Country Manager and whose main functions are:

• Monitoring the changes in the non-financial risks and their alignment with the defined strategies and policies and the risk appetite.
• Analyzing and assessing controls and measures established to mitigate the impact of the risks identified, should they materialize.
• Making decisions about the proposals for risk taking that are conveyed by the working groups or that arise in the Committee itself.
• Promoting transparency by promoting the proactive participation of the three lines of defense in discharging their responsibilities and the rest of the organization in this area .

At the holding company level there is a Global Corporate Assurance Committee, chaired by the Group's Chief Executive Officer. Its main functions are similar to those already described but applicable to the most important issues that are escalated from the geographies and the holding company areas.

The business and support areas have an Internal Control and Operational Risk Committee, the purpose of which is to ensure the due implementation of the operational risk management model within its scope of action and drive active management of such risk, taking mitigation decisions when control weaknesses are identified and monitoring the same.

Additionally, the Non-Financial Risk unit periodically reports the status of the management of non-financial risks in the Group to the Board's Risk and Compliance Committee.

Reputational risk

Reputational risk assessment

Since 2016, BBVA disposes of a reputational risk assessment methodology. Through this methodology, the Bank defines and reviews regularly a map in which it prioritizes the reputational risks which have to be faced and the set of action plans to mitigate them. The prioritization is done based on two variables: the impact on the perception of the stakeholders and the strength of BBVA facing the risk.

This exercise is performed annually in all geographical areas where the Group is operating and the business areas CIB and AM EMEA. As a result of the assessment carried out in 2019, 24 mitigation action plans have been conducted during 2020.

The guide for the Annual Reputational Risk Assessment of the stock was updated by the end of 2019 and was implemented in all Banks of BBVA Group during 2020. Likewise, it is planned to elaborate in 2020 a guide for the Annual Reputational Risk Assessment in the process of the Admission of Non-financial Risks.

Identification of the Reputational Risk

The Responsible Business teams collaborate, together with the rest of the members of BBVA’s second defense line, in the different Committees of Admission of the Operational Risk, both at Group and local level. Those Committees are responsible for the initial identification of potential reputational risks, and, where appropriate, an assessment of the foreseeable impact on BBVA’s reputation.

Reporting of the Reputational Risk

The results of the annual assessment of the Reputational Risk are reported in every geographical area at the appropriate governance level and, at Group level, reported to the Global Corporate Assurance Committee and, since 2020, to the Executive Committee.

Risk factors

As mentioned earlier, BBVA has processes in place for identifying risks and analyzing scenarios that enable the Group to manage risks in a dynamic and proactive way.

The risk identification processes are forward looking to ensure the identification of emerging risks and take into account the concerns of both the business areas, which are close to the reality of the different geographical areas, and the corporate areas and senior management.

Risks are captured and measured consistently using the methodologies deemed appropriate in each case. Their measurement includes the design and application of scenario analyses and stress testing and considers the controls to which the risks are subjected.

As part of this process, a forward projection of the risk appetite framework variables in stress scenarios is conducted in order to identify possible deviations from the established thresholds. If any such deviations are detected, appropriate measures are taken to keep the variables within the target risk profile.

To this extent, there are a number of emerging risks that could affect the Group´s business trends. These risks are described in the following main sections:

Risk related to new coronavirus (COVID-19) pandemic

The COVID-19 pandemic is adversely affecting the world economy and economic activity and conditions in the countries in which the Group operates, leading many of them to economic recession in 2020 and relatively moderate activity growth in 2021, so that probably only from 2022 will the GDP levels observed before the crisis recover. Among other challenges, these countries are experiencing widespread increases in unemployment levels and falls in production, while public debt has increased significantly due to support and spending measures implemented by government authorities. In addition, there is an increase in defaults on debts by both companies and individuals, volatility in financial markets, including exchange rates, and falls in the value of assets and investments, all of which have had a negative impact on the Group's in the year 2020 and is expected to continue to affect in the future.

Furthermore, the Group may be affected by the measures adopted by regulatory authorities in the banking sector, including but not limited to, the recent reductions in reference interest rates, the relaxation of prudential requirements, the suspension of dividend payments, the adoption of payment deferrals measures for bank clients (such as those included in Royal Decree Law 11/2020 in Spain, as well as in the CECA-AEB agreement to which BBVA has adhered and which, among other things, allows loan debtors to extend maturities and defer interest payments) and facilities to grant credit through a line of guarantees or public guarantees, especially to companies and the self-employed individuals, as well as any changes in the financial asset purchase programs.

Since the outbreak of COVID-19 pandemic, the Group has experienced a decline in its activity. For example, the granting of new loans to individuals has significantly decreased since the beginning of mobility restriction measures approved in certain countries in which the Group operates. In addition, the Group faces several risks, such as a greater risk of impairment of the value of its assets (including financial instruments valued at fair value, which may undergo significant fluctuations) and of the securities held for liquidity reasons, a possible significant increase in non-performing loans and a negative impact on the cost of the Group's financing and its access to financing (especially in an environment where credit ratings are affected).

Furthermore, in several of the countries in which the Group operates, including Spain, the Group has temporarily closed a significant number of its offices and reduced opening hours to the public, and the teams that provide central services have been working remotely. Although these measures have been gradually reversed due to the continued expansion of the COVID-19 pandemic, it is unclear how long it will take until normal operations can fully resume. On the other hand, the pandemic could adversely affect the business and operations of third parties that provide critical services to the Group and, in particular, the higher demand and / or lower availability of certain resources could in some cases make it more difficult to maintain the service levels. In addition, the generalization of remote work has increased the risks related to cybersecurity, as the use of non-corporate networks has increased.

As a result of the above, the COVID-19 pandemic has had an adverse effect on the Group's results and capital base. During the first half of the year the main accumulated impacts were:

• an increase in the cost of risk associated with the lending activity, mainly due to the deterioration of the macroeconomic environment, which has had a negative impact of €2,009 million in the Group (including the initial adverse effect of the payment deferral) and provisions for credit risk and contingent commitments for €95 million, (see Notes 7.2, 46 and 47 of the accompanying Consolidated Financial Stemens); and
• a deterioration in the goodwill of the Group's subsidiary in the United States, mainly due to the deterioration of the macroeconomic scenario in the United States, which has had a net negative impact of €2,084 million on the Group's attributed profit in this period (although this impact does not affect the tangible book value, nor the solvency or the liquidity of the Group) (see Notes 18.1 and 49 of the accompanying Consolidated Financial Statements).

From June 30, 2020 on, and as a consequence of the general deterioration of the global macroeconomic scenario, its specific effects cannot be isolated, affecting all of the Group's consolidated Financial Statements.

Macroeconomic and geopolitical risks

The Global economy is being severely affected by the COVID-19 pandemic. Supply, demand and financial factors caused an unprecedented fall in GDP in the first half of 2020. Supported by strong fiscal and monetary policy measures, as well as greater control over the spread of the virus, global growth rebounded more than expected in the third quarter, before slowing down in the fourth, when the number of infections rose again in many regions, mainly in the United States and Europe. As for 2021, the unfavorable evolution of the pandemic is expected to adversely affect activity in the short term, while new fiscal and monetary stimuli, as well as the administering of coronavirus vaccines, are expected to support recovery from mid-year onwards.

Following the massive fiscal and monetary stimuli to support economic activity and reduce financial tensions, government debt has increased across the board and interest rates have been cut, and are now at historical low levels. Additional countercyclical measures may be required. Similarly, a significant reduction in current stimuli is not expected, at least until the recovery takes hold.

Tensions in the financial markets have moderated rapidly since the end of March 2020, following the decisive actions taken by the main central banks and the fiscal packages announced in many countries. In recent months, the markets have shown relative stability and, at certain times, risk-taking movements. Likewise, progress related to the development of COVID-19 vaccines and prospects for economic recovery should pave the way for financial volatility to persist at relatively low levels in general going forward.

BBVA Research estimates that global GDP contracted by around 2.6% in 2020 and will expand by around 5.3% in 2021 and 4.1% in 2022. Activity will recover gradually and heterogeneously among countries. Various epidemiological, financial and geopolitical factors are also contributing to the persistent exceptionally high uncertainty.

With regard to the banking system, in an environment in which much of the economic activity has been at a stand still for several months, the services provided have played an essential role, basically for two reasons: firstly, the banks have ensured the proper functioning of collections and payments for households and companies, thereby contributing to the maintenance of economic activity; secondly, the granting of new lending or the renewal of existing lending has reduced the impact of the economic slowdown on household and business income. The support provided by the banks over the months of lockdown and public guarantees have been essential in softening the impact of the crisis on companies' liquidity and solvency, meaning that banking has become its main source of funding for most companies.

In terms of profitability, European and Spanish banking have deteriorated, primarily because many entities recorded high provisions for impairment on financial assets in the first two quarters of 2020 as a result of the worsening macroeconomic environment following the pandemic outbreak. Pre-pandemic profitability levels remained far from the levels prior to the previous financial crisis. This is in addition to the accumulation of capital since the previous crisis and the very low interest rate environment that we have been experiencing for several years. Nevertheless, the banks are facing this situation from a healthy position and with solvency that has been constantly increasing since the 2008 crisis, with reinforced capital and liquidity buffers and, therefore, with a greater lending capacity.

The BBVA Group has a General Risk Management and Control Model appropriate to its business model, its organization, the countries in which it operates and its corporate governance system, which allows it to carry out its activity within the framework of the risk management and control strategy and policy defined by the corporate bodies. This model deals with management in global form adapting itself to the circumstances of each moment. This Model is applied integrally in the Group.

In this sense, from the beginning of the crisis, the BBVA Group implemented specific measures for the proper management of these associated risks, establishing different global initiatives that define the risk management strategy during the crisis, with common action protocols that should be implemented and adapted, when needed, to local needs.

The BBVA Group global risk unit - Global Risk Management (hereinafter, “GRM”) - has increased the frequency and intensity of the evaluation of potential impacts on the different groups and clients, in order to prevent their future evolution, and carried out appropriate adjustments and reclassifications, reinforcing its processes, governance and teams in Holding and countries to act in a coordinated manner, focusing priority on crisis management.

Over the past year, it has been found that the pandemic has a global impact , affecting to a greater extent the sectors in which there is a high level of human interaction (transport, especially air transport, leisure, especially hotel establishments, as well as industries and activities dependent on them), regardless of the regional area in question. For this reason, the Bank's risk management has clearly been intensified by sectorial vectors over other conditioning factors such as geographic.

Regulatory and reputational risks

Financial institutions are exposed to a complex and ever-changing regulatory environment defined by governments and regulators. This can affect their ability to grow and the capacity of certain businesses to develop, and result in stricter liquidity and capital requirements with lower profitability ratios. The Group constantly monitors changes in the regulatory framework that allow for anticipation and adaptation to them in a timely manner, adopt industry practices and more efficient and rigorous criteria in its implementation.

The financial sector is under ever closer scrutiny by regulators, governments and society itself. In the course of activities, situations which might cause relevant reputational damage to the entity could raise and might affect the regular course of business. The attitudes and behaviors of the Group and its members are governed by the principles of integrity, honesty, long-term vision and industry practices through, inter alia, the internal control model, the Code of Conduct, the Corporate Principles in tax matters and Responsible Business Strategy of the Group.

Business, operational and legal risks

New technologies and forms of customer relationships: Developments in the digital world and in information technologies pose significant challenges for financial institutions, entailing threats (new competitors, disintermediation, etc.) but also opportunities (new framework of relations with customers, greater ability to adapt to their needs, new products and distribution channels, etc.). Digital transformation is a priority for the Group as it aims to lead digital banking of the future as one of its objectives.

Technological risks and security breaches: The Group is exposed to new threats such as cyber-attacks, theft of internal and customer databases, fraud in payment systems, etc. that require major investments in security from both the technological and human point of view. The Group gives great importance to the active operational and technological risk management and control.

The financial sector faces an environment of increasing regulatory and litigious pressure, and thus, the various Group entities are usually party to individual or collective judicial proceedings (including class actions) resulting from their activity and operations, as well as arbitration proceedings. The Group is also party to other government procedures and investigations, such as those carried out by the antitrust authorities in certain countries which, among other things, have in the past and could in the future result into sanctions, as well as lead to claims by customers and others. In addition, the regulatory framework, in the jurisdictions in which the Group operates, is evolving towards a supervisory approach more focused on the opening of sanctioning proceedings while some regulators are focusing their attention on consumer protection and behavioral risk.

In Spain and in other jurisdictions where the Group operates, legal and regulatory actions and proceedings against financial institutions, prompted in part by certain judgments in favor of consumers handed down by national and supranational courts, have increased significantly in recent years and this trend could continue in the future. The legal and regulatory actions and proceedings faced by other financial institutions in relation to these and other matters, especially if such actions or proceedings result in favorable resolutions for the consumer, could also adversely affect the Group.

All of the above may result in a significant increase in operating and compliance costs or even a reduction of revenues, and it is possible that an adverse outcome in any proceedings (depending on the amount thereof, the penalties imposed or the procedural or management costs for the Group) could damage the Group's reputation, generate a knock-on effect or otherwise adversely affect the Group.

It is difficult to predict the outcome of legal and regulatory actions and proceedings, both those to which the Group is currently exposed and those that may arise in the future, including actions and proceedings relating to former Group subsidiaries or in respect of which the Group may have indemnification obligations, but such outcome could be significantly adverse to the Group. In addition, a decision in any matter, whether against the Group or against another credit entity facing similar claims as those faced by the Group, could give rise to other claims against the Group. In addition, these actions and proceedings attract resources from the Group and may occupy a great deal of attention on part of the Group's management and employees.

As of December 31, 2020, the Group had €612 million in provisions for the proceedings it is facing (included in the line "Provisions for litigation and pending tax cases" in the consolidated balance sheet) (see Note 25), of which €574 million correspond to legal contingencies and €38 million to tax related matters. However, the uncertainty arising from these proceedings (including those for which no provisions have been made, either because it is not possible to estimate them or for other reasons) makes it impossible to guarantee that the possible losses arising from these proceedings will not exceed, where applicable, the amounts that the Group currently has provisioned and, therefore, could affect the Group's consolidated results in a given period.

As a result of the above, legal and regulatory actions and proceedings currently faced by the Group or to which it may become subject in the future or otherwise affected by, individually or in the aggregate, if resolved in whole or in part adversely to the Group ́s interests, could have a material adverse effect on the Group’s business, financial condition and results of operations.

As mentioned in the section “Other non-financial risks” of the Non-financial information report of this Management report, Central Investigating Court No. 6 of the National High Court is investigating the activities of Centro Exclusivo de Negocios y Transacciones, S.L. (Cenyt) in the Preliminary Proceeding No. 96/2017. Piece No. 9 of this proceeding includes the provision of services to the Bank. It is not possible at this time to predict the scope or duration of such proceeding or any related proceeding or its or their possible outcomes or implications for the Group, including any fines, damages or harm to the Group’s reputation caused thereby.