4. Risk management
4.1. General risk management and control model
The BBVA Group has a general risk management and control model (hereinafter, the “Model”) that is appropriate for its business model, its organization, the countries where it operates and its corporate governance system. This model allows the Group to carry out its activity within the management and risk control strategy and policy defined by the corporate bodies of BBVA (considering sustainability specifically) and to adapt itself to a changing economic and regulatory environment, facing this management at a global level and aligned to the circumstances at all times.
The Model, for which the Group’s Chief Risk Officer (CRO) is responsible and that must be updated or reviewed at least annually, is fully applied in the Group and it comprises the following basic elements:
- Governance and organization
- Risk Appetite Framework
- Assessment, monitoring and reporting
The Group promotes the development of a risk culture that ensures a consistent application of the Model in the Group, and that guarantees that the risks function is understood and internalized at all levels of the organization.
4.1.1 Governance & organization
The risk governance model in the BBVA Group is characterized by a special involvement of its corporate bodies, both in setting the risk strategy and in monitoring and supervising its implementation on an ongoing basis.
Thus, and as explained below, the corporate bodies are responsible for approving the risk strategy and the general policies for the different types of risks. Global Risk Management (hereinafter, GRM) and Regulation & Internal Control (including, among other areas, Non-Financial Risks) are the functions responsible for its implementation and development, with the appropriate reporting to corporate bodies.
Responsibility for day-to-day management of risks falls on business and corporate areas, the activities of which adhere to the general policies, regulation, infrastructures and controls that, based on the framework set by corporate bodies, are defined by GRM and Regulation & Internal Control in their corresponding areas of responsibility.
To carry out this work adequately, the financial risks function in the BBVA Group has been set up as a single, global function and independent from commercial areas.
The head of the risks function at an executive level, with respect to financial risks, is the Group's Chief Risk Officer (CRO), who is appointed by the Board of Directors as a member of its senior management, and reports directly on the development of the corresponding functions to the corporate bodies. The Chief Risk Officer, for the best fulfilment of the functions, is supported by a structure consisting of cross-cutting risk units in the corporate area and specific risk units in the Group's geographical and/or business areas.
In addition, and with regard to non-financial risks and internal control, the Group has a Regulation & Internal Control area independent from the rest of units and whose head (Head of Regulation & Internal Control) is also appointed by the Board of Directors of BBVA and reports directly to corporate bodies on the performance of its functions. This area is responsible for proposing and implementing non- financial risks policies and the Internal Control Model of the Group, and it is composed by, among other, the Non-Financial Risks, Regulatory Compliance and Risk Internal Control units.
The Risk Internal Control unit, within the Regulation & Internal Control area and, therefore, independent from the financial risks function (GRM), acts as a control unit for the activities carried out by GRM. In this regard, and without prejudice to the functions performed in this regard by the Internal Audit area, Risk Internal Control checks that the regulatory framework, processes and established measures are sufficient and appropriate for each type of financial risk. It also monitors its implementation and operation, and confirms that those decisions taken by GRM are taken independently from the business lines and, in particular, that there's an adequate segregation of functions between units.
Governance and organizational structure are basic pillars for ensuring an effective risk management and control. This section summarizes the roles and responsibilities of the corporate bodies in the risks area, of the Group's Chief Risk Officer and, in general, of the risks function, its interrelation and the group of committees, in addition to the Risk Internal Control unit.
Corporate Bodies of BBVA
According to the corporate governance system of BBVA, the Board of Directors of the Bank has certain reserved competencies, concerning management, through the implementation of the corresponding most relevant decisions, and concerning supervision and control, through the monitoring and supervision of implemented decisions and management of the Bank.
In addition, and to ensure an adequate performance of the management and supervisory functions of the Board of Directors, the corporate governance system comprises different committees supporting the Board of Directors with regard to matters falling within their competence, and according to the specific charters of each committee. For this purpose, a coordinated work scheme between these corporate bodies has been established.
With regard to risks, the Board of Directors' competencies are those relating to establishing the policy for controlling and managing risk and the oversight and control of its implementation.
In addition, and for an adequate performance of its duties, the Board of Directors is assisted by the Risk and Compliance Committee (hereinafter, CRC), on the issues detailed below, and by the Executive Committee (hereinafter, CDP), which is focused on the strategy, finance and business functions of the Group, for the purposes of which it monitors the risks of the Group.
The involvement of the corporate bodies of BBVA in the control and management of the risks of the Group is detailed below:
Board of Directors
The Board of Directors is responsible for establishing the risk strategy of the Group and, in this role, it determines the control and risk management policy, through the following documents:
- The Risk Appetite Framework of the Group, which includes in the one hand the risk appetite statement of the Group, that is, the general principles governing the risk strategy of the Group and its target profile; and, on the other hand, and based on the above mentioned risk appetite statement, a set of quantitative metrics (core metrics, and their corresponding statements, and by type of risk metrics), reflecting the risk profile of the Group;
- the framework of management policies of the different types of risk to which the Bank is or could be exposed, which contain the basic lines for managing and controlling risks in a uniform way across the Group and consistently with the Model and Risk Appetite Framework;
- and the Model.
All of the above in coordination with the rest of prospective-strategic decisions of the Bank, which includes the Strategic Plan, the Annual Budget, the Capital Plan and the Liquidity & Funding Plan, in addition to the rest of management objectives, whose approval is a responsibility of the Board of Directors.
In addition to defining the risk strategy, the Board of Directors (in the performance of its risks monitoring, management and control tasks) also monitors the evolution of the risks of the Group and of each main geographical and/or business area, ensuring compliance with the Risk Appetite Framework of the Group; and also supervising the internal information and control systems.
For the development of all these functions, the Board of Directors is supported by the CRC and the CDP, which are responsible for the functions detailed below.
Risk and Compliance Committee
The CRC is, according to its own charter, composed of non-executive directors and its main purpose is to assist the Board of Directors on the establishment and monitoring of the risk control and management policy of the Group.
For this purpose, it assists the Board of Directors in a variety of risk control and monitoring areas, in addition to its analysis functions, based on the strategic pillars established at all times by both the Board of Directors and the CDP, the proposals on the strategy, control and risk management of the Group, which are particularly specified in the Risk Appetite Framework and in the “Model”. After the analysis, the Risk Appetite Framework and Model proposal is submitted to the Board of Directors for consideration and, where appropriate, approval purposes.
In addition, the CRC proposes, in a manner consistent with the Risk Appetite Framework of the Group approved by the Board of Directors, the control and management policies of the different risks of the Group, and supervises the information and internal control systems.
With regard to the monitoring of the evolution of the risks of the Group and their degree of compliance with the Risk Appetite Framework and defined general policies, and without prejudice to the monitoring task carried out by the Board of Directors and the CDP, the CRC carries out monitoring and control tasks with greater frequency and receives information with a sufficient granularity to achieve an adequate performance of its duties.
The CRC also analyzes all measures planned to mitigate the impact of all identified risks, should they materialize, which must be implemented by the CDP or the Board of Directors, as the case may be. The CRC also monitors the procedures, tools and measurement indicators of those risks established at a Group level in order to have a comprehensive view of the risks of BBVA and its Group, and monitors compliance with the regulation and supervisory requirements in terms of risks.
The CRC is also responsible for analyzing those project-related risks that are considered strategic for the Group or corporate transactions that are going to be submitted to the Board of Directors of the CDP, within its scope of competence.
In addition, it contributes to the setting of the remuneration policy, checking that it is compatible with an appropriate and effective management of risks and that it does not provide incentives to take risks breaching the level tolerated by the Bank.
Lastly, the CRC ensures the promotion of the risk culture in the Group.
In 2021, the CRC has held 22 meetings.
In order to have a complete and comprehensive view of the progress of the businesses of the Group and its business units, the CDP monitors the evolution of the risk profile and the core metrics defined by the Board of Directors, being aware of any potential deviation or breach of the metrics of the Risk Appetite Framework and implementing, when applicable, the appropriate measures, as explained in the Model.
In addition, the CDP is responsible for proposing the basis for developing the Risk Appetite Framework, which will be established in coordination with the rest of prospective/strategic decisions of the Bank and the rest of management objectives.
Lastly, the CDP is the committee supporting the Board of Directors in decisions related to business risk and reputational risk, according to the dispositions set out in its own charter.
Chief Risk Officer of the Group
The Group's Chief Risk Officer (CRO) is responsible for the management of all the financial risks of the Group with the necessary independence, authority, rank, experience, knowledge and resources. The CRO is appointed by the Board of Directors of BBVA and has direct access to its corporate bodies (Board of Directors, CDP and CRC), with the corresponding regular reporting on the risk situation in the Group.
The GRM area has a responsibility as the unit transversal to all the businesses of the BBVA Group. This responsibility is part of the structure of the BBVA Group, which is formed by subsidiaries based in different jurisdictions, which have autonomy and must comply with their local regulations, but always according to the risk management and control scheme designed by BBVA as the parent company of the BBVA Group.
The Chief Risk Officer of the BBVA Group is responsible for ensuring that the risks of BBVA Group, within the scope of its functions, are managed according to the established model, assuming, among other, the following responsibilities:
- Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the risk strategy of the BBVA Group, which includes the Risk Appetite statement of the BBVA Group, core (and their respective statements) and by type of risk metrics, and the Model.
- Ensure the necessary coordination to define and prepare the proposals for the Appetite Framework of the Group companies, and make sure they are applied correctly.
- Define, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the general policies for each type of risk within its scope of responsibility and, as part these, to establish the required specific regulation.
- Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose for approval, or approving if within its competence, the risk limits for the geographical areas, business areas and/or legal entities, which shall be consistent with the defined Risk Appetite Framework; it is also responsible for the monitoring, supervision and control of risk limits within its scope of responsibility.
- Submit to the Risk and Compliance Committee the information required to carry out its supervisory and control functions.
- Regular reporting to the corresponding corporate bodies on the situation of those risks of the BBVA Group within its scope of responsibility.
- Identify and assess the material risks faced by the BBVA Group within its scope of responsibility, with an effective management of those risks and, where necessary, with the implementation of the required mitigation measures.
- Early warning to the relevant corporate bodies and the Chief Executive Officer of any material risk within its scope of responsibility that could compromise the solvency of the BBVA Group.
- Ensure, within its scope of responsibility, the integrity of measurement techniques and management information systems and, in general, the provision of models, tools, systems, structures and resources to implement the risk strategy defined by the corporate bodies.
- Promote the risk culture of the BBVA Group to ensure the consistency of the Model in the different countries where it operates, strengthening the cross-cutting model of the risks function.
For decision-making, the Group’s Chief Risk Officer has a governance structure for the role that culminates in a support forum, the Global Risk Management Committee (GRMC), which is established as the main executive-level committee on the risks within its remit. Its purpose is to develop the strategies, policies, regulations and infrastructures needed to identify, assess, measure and manage the material risks within its remit that the Group faces in its business activity. This committee is composed by the Chief Risk Officer, who chairs the meetings, and the heads of the Corporate Area of the disciplines of GRM, the “Risk Management Group”, “Strategy and Development”, “South America and Turkey”, and “Risk Internal Control”; and by the heads of GRM in the three most important geographical units and in CIB. The purpose of the GRMC is to propose and challenge, among other issues, the internal regulatory framework of GRM and the infrastructures required to identify, assess, measure and manage the risks faced by the Group in carrying out its businesses and to approve risk limits.
The GRMC carries out its functions assisted by various support committees which include:
- Global Credit Risk Management Committee: It is responsible for analyzing and decision-making related to wholesale credit risk admission.
- Wholesale Credit Risk Management Committee: It is responsible for analyzing and making decisions related to wholesale credit risk admission in specific customer segments of BBVA Group, as well as being informed of the relevant decisions adopted by members of the committee within their scope of decision-making at corporate level.
- Work Out Committee: Its purpose is to be informed about decisions taken under the delegation framework regarding risk proposals concerning clients on Watch List and clients classified as NPL or written-off of certain customer segments of BBVA Group; and the sanction of proposals regarding entries, exits and changes of Watch List, entries and exits in non- performing, unlikely to pay and turns to written off; as well as the approval of other proposals that must be seen in this Committee according to the established thresholds and criteria.
- Asset Allocation Committee: The executive authority responsible for managing the limits by asset class for credit risk, equities and real estate not for own use and by business area and at group level established in the Asset Allocation limits planning exercise, which aims to achieve an optimal combination and composition of portfolios under the restrictions imposed by the Risk Appetite Framework (RAF), which allows maximizing the risk- adjusted return on regulatory and economic capital when appropriate. Additionally, it takes into account the concentration and asset quality objectives of the portfolio, as well as the prospects and strategic needs of the Bank.
- Risk Models Management Committee: It ensures an appropriate decision-making process regarding the planning, development, implementation, use, validation and monitoring of the models required to achieve an appropriate management of the Model Risk in the BBVA Group.
- Global Market Risk Unit Global Committee (CGGMRU): its purpose is to formalize, supervise and communicate the trading risk monitoring in all Global Markets business units, as well as coordinating and approving the key decisions to GMRU activity, and preparing and proposing the corporate regulation of the unit to the GRMC.
- Retail Credit Risk Committee: it ensures for the analysis, discussion and decision support on all issues regarding the retail credit risk management that impact or potentially do in the practices, processes and corporate metrics established in the General Policies, Rules and Operating Frameworks.
- Asset Management Global Risk Committee: the purpose of the committee is to develop and coordinate the strategies, policies, procedures and infrastructure necessary to identify, evaluate, measure and manage the material risks faced by the institution in the performance of its businesses linked to BBVA Asset Management.
- Global Insurance Risk Committee: its purpose is to serve as the basis for the development of the risk management model and the monitoring of the insurance companies of the BBVA Group by developing and coordinating the strategies, policies, procedures and infrastructure necessary to identify, evaluate, measure, monitor and manage the material risks faced by insurance companies.
- Products, Operations and Risks Committee (COPOR): Its purpose is the analysis and decision-making in relation to the operations in the various geographical areas in which Global Markets is present.
- GRM Continuity Committee: this committee operates under the provisions of the Corporate Continuity Committee for the different Areas. Its purpose is to analyze and make decisions about exceptional crisis situations, with the aim of managing continuity and the restoration of critical GRM processes, minimizing the impact of its operations through the Continuity Plan, which covers crisis management and Recovery Plans.
- The Corporate Committee for Admission of Operational Risk and Product Governance (CCAROyGP) aims to ensure the adequate evaluation of initiatives with significant operational risk (new business, product, outsourcing, process transformation, new systems, etc.) from the perspective of operational risk and approval of the proposed control environment.
Risk units of the corporate area and the business/geographical areas
The risks function is comprised of risk units from the corporate area, which carry out cross-cutting functions, and of risk units of the geographical/business areas.
- The risk units of the corporate area develop and submit to the Group's Chief Risk Officer the different elements required to define the proposal for the Group's Risk Appetite Framework, the general policies, regulation and global infrastructures within the operating framework approved by corporate bodies; they ensure their application and report directly or through the Group's Chief Risk Officer to the corporate bodies of BBVA. With regard to non-financial risks and reputational risk, which are entrusted to the Regulation & Internal Control and Communications & Responsible Business areas respectively, the corporate units of GRM will coordinate, with the corresponding corporate units of those areas, the development of the elements that should be integrated into the Appetite Framework of the Group.
- The risk units of the business and/or geographical areas develop and submit to the Chief Risk Officer of the geographical and/or business areas the Risk Appetite Framework proposal applicable in each geographical and/or business area, independently and always according to the Group's Risk Appetite Framework. In addition, they ensure the application of general policies and corporate rules with the necessary adaptations, when applicable, to local requirements, providing the appropriate infrastructures for risk management and control purposes, within the global risk infrastructure framework defined by the corporate areas, and reporting to the corresponding corporate bodies and senior management, as applicable. With regard to Non-financial risks, which are integrated in the Regulation & Internal Control area, the local risk units will coordinate, with the unit responsible for those risks, the development of the elements that should be integrated into the local Risk Appetite Framework.
Thus, the local risk units work with the risk units of the corporate area with the aim of adapting themselves to the risk strategy at Group level and pooling all the information required to monitor the evolution of their risks.
As previously mentioned, the risks function has a decision-making process supported by a structure of committees, and also a top- level committee, the GRMC, whose composition and functions are described in the section "Chief Risk Officer of the Group."
Each geographical and/or business area has its own risk management committee(s), with objectives and contents similar to those of the corporate area. These committees perform their duties consistently and in line with general risk policies and corporate rules, and its decisions are reflected in the corresponding minutes.
Under this organizational scheme, the risks function ensures the integration and application throughout the Group of the risk strategy, the regulatory framework, the infrastructures and standardized risk controls. It also benefits from the knowledge and proximity to customers in each geographical and/or business area, and conveys the corporate risk culture to the Group's different levels. Moreover, this organization enables the risks function to conduct and report to the corporate bodies an integrated monitoring and control of the risks of the entire Group.
Chief Risk Officers of geographical and/or business areas
The risks function is cross-cutting, i.e. it is present in all of the Group's geographical and/or business areas through specific risk units. Each of these units is headed by a Chief Risk Officer for the geographical and/or business area who, within the relevant scope of responsibility, carries out risk management and control functions and is responsible for applying the Model, the general policies and corporate rules approved at Group level in a consistent manner, adapting them if necessary to local requirements and with the subsequent reporting to local corporate bodies.
The Chief Risk Officers of the geographical and/or business areas have functional reporting to the Group's Chief Risk Officer and hierarchical reporting to the head of their geographical and/or business area. This dual reporting system aims to ensure the independence of the local risks function from the operational functions and enable its alignment with the Group's general policies and goals related to risks.
Risk Internal Control
The Group has a specific Risk Internal Control unit, within the Regulation & Internal Control area, that, among other tasks, independently challenges and control the regulation and governance structure in terms of financial risks and its implementation and deployment in GRM, in addition to the challenge of the development and implementation of financial risks control and management processes. It is also responsible for the validation of risk models.
For this purpose, it has 3 subunits: RIC-Processes, Risks Technical Secretariat and Risk Internal Validation.
- RIC-Processes. It is responsible for challenging an appropriate development of the functions of GRM units, and for reviewing that the functioning of financial risk management and control processes is appropriate and in line with the corresponding regulation, identifying potential opportunities for improvement and contributing to the design of the action plans to be implemented by the responsible units. In addition, it is the Risk Control Specialist (RCS) in the Group's Internal Control Model and, therefore, establishes the frameworks for mitigating and controlling the risks for which it is responsible.
- Risks Technical Secretariat. It is responsible for the definition, design and management of the principles, policies, criteria and processes through which the regulatory risk framework is developed, processed, reported and disclosed to the countries; and for the coordination, monitoring and assessment of its consistency and completeness. In addition, it coordinates the definition and structure of the most relevant GRM Committees, and monitors their proper functioning, in order to ensure that all risk decisions are taken through an adequate governance and structure, ensuring their traceability. It also provides to the CRC the technical support required in terms of financial risks for a better performance of its functions.
- Risk Internal Validation. It is responsible for validating the risks models. In this regard, it effectively challenges the relevant models used to manage and control the risks faced by the Group, as an independent third party from those developing or using the models in order to ensure its accuracy, robustness and stability. This review process is not restricted to the approval process, or to the introduction of changes in the models; it is a plan to make a regular assessment of those models, with the subsequent issue of recommendations and actions to mitigate identified weaknesses.
The Head of Risk Internal Control of the Group is responsible for the function and reports about his activities and work plans to the Head of Regulation & Internal Control and to the CRC, with the corresponding support in the issues required, and, in particular, challenging that GRM's reports submitted to the Committee are aligned with the criteria established at the time.
In addition, the risk internal control function is global and transversal, it includes all types of financial risks and has specific units in all geographical and/or business areas, with functional reporting to the Head of Risk Internal Control of the Group.
The Risk Internal Control function must ensure compliance with the general risks strategy defined by the Board of Directors, with adequate proportionality and continuity. In order to comply with the control activity within its scope. Risk Internal Control is member of GRM's top-level committees (sometimes even assuming the Secretariat role), independently verifying the decisions that may be taken and, specifically, the decisions related to the definition and application of internal risk regulation.
Furthermore, the control activity is developed within a homogeneous methodological framework at a Group level, covering the entire life cycle of financial risk management and carried out under a critical and analytical approach.
The Risk Internal Control team reports the results of its control function to the corresponding heads and teams, promoting the implementation of corrective measures and submitting these assessments and the resolution commitments in a transparent manner to the established levels.
Lastly, and notwithstanding the control responsibility that GRM teams have in the first instance, Risk Internal Control teams promote a control culture in GRM, conveying the importance of having robust processes.
4.1.2 Risk appetite framework
Elements and development
The Group's Risk Appetite Framework approved by the corporate bodies determines the risks and the risk level that the Group is willing to assume to achieve its business objectives considering the organic evolution of business. These are expressed in terms of solvency, liquidity and funding, and profitability, as well as recurrence of revenue, which are reviewed not only periodically but also if there are any substantial changes in the business strategy or relevant corporate transactions.
The Risk Appetite Framework is expressed through the following elements:
Risk appetite statement: sets out the general principles of the Group's risk strategy and the target risk profile:
"The BBVA Group develops a multichannel and responsible universal banking business model, based on values, committed to sustainable development and centred on our customers' needs, focusing on operational excellence and the preservation of adequate security and business continuity.
BBVA intends to achieve these goals while maintaining a moderate risk profile, so the risk model established aims at ensuring a robust financial position, facilitating its commitment with sustainability and obtaining a sound risk- adjusted profitability throughout the cycle, as the best way to face adverse environments without jeopardizing its strategies.
BBVA Group's risk management is based on prudent management, and a comprehensive and prospective vision of all risks, to allow us to adapt to the disruptive risks inherent in the banking business. It includes the climate factor, a diversification of portfolios by geographies, asset classes and customer segments, prevention of money laundering and terrorist financing, and the maintenance of a long-term relationship with customers, supporting them in the transition to a sustainable future, to promote profitable growth and recurring generation of value."
Statements and core metrics: Statements are established, based on the risk appetite statement, specifying the general principles of risk management in terms of solvency, liquidity and funding, profitability and income recurrence. Moreover, the core metrics reflect, in quantitative terms, the principles and the target risk profile set out in the Risk Appetite statement. Each core metric has three thresholds ranging from usual management of the businesses to higher levels of impairment:
- Management benchmark: a benchmark that determines a comfortable management level for the Group.
- Maximum appetite: the maximum level of risk that the Group is willing to accept in its ordinary activity.
- Maximum capacity: the maximum risk level that the Group could assume, which for some metrics is associated with regulatory requirements.
- Metrics by type of risk: based on the core metrics and their thresholds, a number of metrics are determined for each type of risk, whose observance enables compliance with the core metrics and the Group's Risk Appetite statement. These metrics have a maximum risk appetite threshold.
In addition to this Framework, statements are established that include the general principles for each risk type, as well as a level of management limits that is defined and managed by the areas responsible for the management of each type of risk in the development of the structure of metrics by type of risk, in order to ensure that the early management of risks complies with that structure and, in general, with the established Risk Appetite Framework.
Each significant geographical area (that is, those representing more than 1% of the assets or operating income of the BBVA Group) has its own Risk Appetite framework, consisting of its local Risk Appetite statement, core statements and metrics, and metrics by type of risk, which must be consistent with those set at the Group level, but adapted to their own reality. These are approved by the corresponding corporate bodies of each entity. This Appetite Framework is supplemented by statements for each risk type and has a limit structure in line and consistent with the above.
The corporate risks area works with the various geographical and/or business areas to define their Risk Appetite Framework, so that it is coordinated with, and integrated into, the Group's Risk Appetite Framework, making sure that its profile is in line with the one defined. Moreover, and for the purposes of monitoring at local level, the Chief Risks Officer of the geographical and/or business area regularly reports on the evolution of the metrics of the Local Risk Appetite Framework to the corporate bodies, as well as to the relevant top-level local committees, following a scheme similar to that of the Group, in accordance with its own corporate governance systems.
Within the issuing process of the Risk Appetite Framework, Risk Internal Control carries out, within the scope of the GRM area the effective challenge of the Framework proposal prior to its escalation to corporate bodies, which is also documented, and it is extended to the approval of the management limits under which it is developed, also supervising its adequate approval and extension to the different entities of the Group. Likewise, in each significant geographical area, the local Risk Internal Control unit, working in the Risk Management Committee (hereinafter, RMC), carries out an effective challenge of the local Risk Appetite Framework prior to its escalation to local corporate bodies, which is also documented, and extended to the local approval process of the management limits.
Monitoring of the Risk Appetite Framework and management of breaches
So that corporate bodies can develop the risk functions of the Group, the heads of risks at an executive level will regularly report (more frequently in the case of the CRC, within its scope of responsibility) on the evolution of the metrics of the Risk Appetite Framework of the Group, with the sufficient granularity and detail, in order to check the degree of compliance of the risks strategy set out in the Risk Appetite Framework of the Group approved by the Board of Directors.
If, through the monitoring of the metrics and supervision of the Risk Appetite Framework by the executive areas, a relevant deviation or breach of the maximum appetite levels of the metrics is identified, that situation must be reported and, where applicable, the corresponding corrective measures must be submitted to the CRC.
After the relevant review by the CRC, the deviation must be reported to the CDP (as part of its role in the monitoring of the evolution of the risk profile of the Group) and to the Board of Directors, which will be responsible, when applicable, for implementing the corresponding executive measures, including the modification of any metric of the Risk Appetite Framework. For this purpose, the CRC will submit to the corresponding corporate bodies all the information received and the proposals prepared by the executive areas, together with its own analysis.
Notwithstanding the foregoing, once the information has been analyzed and the proposal of corrective measures has been reviewed by the CRC, the CDP may adopt, on grounds of urgency and under the terms established by law, measures corresponding the Board of Directors, but always reporting those measures to the Board of Directors in the first meeting held after the implementation for ratification purposes.
In any case, an appropriate monitoring process will be established (with a greater information frequency and granularity, if required) regarding the evolution of the breached or deviated metric, and the implementation of the corrective measures, until it has been completely redressed, with the corresponding reporting to corporate bodies, in accordance with its risks monitoring, supervision and control functions.
Integration of the Risk Appetite Framework into the management
The transfer of the Risk Appetite Framework to ordinary management is underpinned by three basic elements:
- The existence of a standardized set of regulations: the corporate risks area defines and proposes the general policies within its scope of action, and develops the additional internal regulation required for the development of those policies and the operating frameworks on the basis of which risk decisions must be adopted within the Group. The approval of the general policies for all types of risks is a responsibility of the corporate bodies of BBVA, while the rest of regulation is defined at an executive level according to the framework of competences applicable at any given time. The Risks units of the geographical and/or business areas comply with this regulation and performing, where necessary, the relevant adaptation to local requirements, in order to have a decision-making process that is appropriate at local level and aligned with the Group's policies.
- Risk planning, which ensures the integration into the management of the Risk Appetite Framework through a cascade process established to set limits adjusted to the target risk profile. The Risks units of the corporate area and of the geographical and/or business areas are responsible for ensuring the alignment of this process with the Group's Risk Appetite Framework in terms of solvency, liquidity and funding, profitability, and recurrence of earnings.
- A comprehensive management of risks during their life cycle, based on differentiated treatment according to their type.
4.1.3 Assessment, monitoring and reporting
Assessment, monitoring and reporting is a cross-cutting function at Group level. This function ensures that the model has a dynamic and proactive vision to enable compliance with the Risk Appetite Framework approved by the Board of Directors, even in adverse scenarios.
This process is integrated in the activity of the Risk units, both of the corporate area and in the geographical and/or business units, together with the units specialized in non-financial risks and reputational risk within the Regulation & Internal Control and Communications & Responsible Business areas respectively, in order to generate a comprehensive and single view of the risk profile of the Group.
This process is developed through the following phases:
- Monitoring of the identified risk factors that can compromise the performance of the Group or of the geographical and/or business areas in relation to the defined risk thresholds.
- Assessment of the impact of the materialization of the risk factors on the metrics that define the Risk Appetite Framework based on different scenarios, including stress testing scenarios (EU-wide stress testing).
- Response to unwanted situations and proposals for redressing measures to the corresponding levels, in order to enable a dynamic management of the situation, even before it takes place.
- Monitoring the Group's risk profile and the identified risk factors, through internal, competitor and market indicators, among others, to anticipate their future development.
- Reporting: complete and reliable information on the evolution of risks to corporate bodies and senior management, in accordance with the principles of accuracy, exhaustiveness, clarity and utility, frequency, and adequate distribution and confidentiality. The principle of transparency governs all the risk information reporting process.
For the implementation of the Model, the Group has the resources required for an effective management and supervision of risks and for achieving its goals. In this regard, the Group's risks function:
- Has the appropriate human resources in terms of number, ability, knowledge and experience. The profile of resources will evolve over time based on the specific needs of the GRM and Regulation & Internal Control areas, always with a high analytical and quantitative capacity as the main feature in the profile of those resources. Likewise, the corresponding units of the geographical and/or business areas have sufficient means from the resources, structures and tools perspective in order to achieve a risk management process aligned with the corporate model.
- Develops the appropriate methodologies and models for the measurement and management of the different risk profiles, and the assessment of the capital required to take those risks.
- Has the technological systems required to: support the Risk Appetite Framework in its broadest definition; calculate and measure the variables and specific data of the risk function; support risk management according to this Model; and provide an environment for storing and using the data required for risk management purposes and reporting to supervisory bodies.
- Promotes adequate data governance, in accordance with the principles of governance, infrastructure, precision and integrity, completeness, promptness and adaptability, following the quality standards of the internal regulations referring to this matter.
Within the risk functions, both the profiles and the infrastructure and data shall have a global and consistent approach.
The human resources among the countries must be equivalent, ensuring a consistent operation of the risk function within the Group. However, they will be distinguished from those of the corporate area, as the latter will be more focused on the conceptualization of appetite frameworks, operating frameworks, the definition of the regulatory framework and the development of models, among other tasks.
As in the case of the human resources, technological platforms must be global, thus enabling the implementation of the Risk Appetite Framework and the standardized management of the risk life cycle in all countries.
The corporate area is responsible for deciding on the platforms and for defining the knowledge and roles of the human resources. It is also responsible for defining risk data governance.
The foregoing is reported to the corporate bodies of BBVA so they can ensure that the Group has the appropriate means, systems, structures and resources.
4.2 Credit risk
In 2020, following the outbreak of the pandemic, the local authorities of the countries in which the Group operates initiated economic support measures for the management of the COVID-19 crisis, including the granting of relief measures in terms of temporary payment deferrals to customers affected by the pandemic, as well as the granting of loans covered by public guarantees, especially to companies and self-employed workers.
These measures were supported by the rules issued by the authorities of the geographical areas where the Group operates, as well by certain industry agreements, and were intended to ease the temporary liquidity needs of the customers. By the end of the year, the temporary deferral measures had been completed in all the geographical areas.
For the purposes of classifying exposures based on their credit risk, the Group has maintained a rigorous application of IFRS 9 at the time of granting the moratoriums and has reinforced the procedures to monitor credit risk both during their tern and upon their maturity. In this regard, additional indicators were introduced to identify the significant increase in risk that may have occurred in some operations or a set of them and, where appropriate, proceed to classify it in the corresponding risk stage.
Likewise, the indications provided by the European Banking Authority (EBA) have been taken into account, to not consider as refinancing the moratoriums that meet a series of requirements and that have been requested before March 31, 2021, without prejudice to keep the exposure classified in the corresponding risk stage or its consideration as refinancing if it was previously so classified.
In relation to the temporary payment deferrals for customers affected by the pandemic and with the goal of mitigating as much as possible the impact of these measures in the Group, due to the high concentration of its maturities over time, continuous monitoring of the effectiveness of these measures has been carried out in order to verify their compliance and to adapt dynamically to the evolution of the crisis. As of December 31, 2021, the payment deferrals granted by the Group following EBA criteria amounted to €189m.
Calculation of expected losses due to credit risk
To respond to the circumstances generated by the COVID-19 pandemic in the macroeconomic environment, characterized by a high level of uncertainty regarding its intensity, duration and speed of recovery, forward-looking information was updated in the IFRS 9 models to incorporate the best information available at the date of the publication of this report. The estimation of the expected losses was calculated for the different geographical areas in which the Group operates, with the best information available for each of them, considering both the macroeconomic perspectives and the effects on specific portfolios, sectors or specific debtors. The scenarios used consider the various economic measures that have been announced by governments as well as monetary, supervisory and macroprudential authorities around the world.
The classification of vulnerable activities to COVID-19 was established at the outbreak of the pandemic, in order to identify activities susceptible to further deterioration in the Group’s portfolio. Based on this classification, management measures were taken, with preventive rating adjustments and restrictive definition of risk appetite. Given the progress made during the course of the pandemic, which has led to the almost complete elimination of restrictions on mobility and the subsequent recovery from these restrictions, consideration is now being given to the specific characteristics of each client over and above their belonging to a particular sector.
As of December 31, 2021, in order to incorporate those aspects not included in the impairment models, there are management adjustments to the expected losses amounting to €311m for the entire Group, €226m in Spain, €18m in Peru and €68m in Mexico. As of September 30, 2021 this concept amounted to €304m in total, of which €272m were allocated to Spain and €32m to Peru. The variation in the last quarter is due to the provisions in Spain and Peru, as well as the aforementioned additional provision in Mexico due to the anticipation of the potential impairment associated with support products after the expiry date of the deferrals.
BBVA Group's credit risk indicators
The situation generated by the pandemic continued to affect BBVA Group's main risk indicators in 2021. In addition, in the fourth quarter of 2021, the Group incorporated additional impairment indicators into its credit risk management processes to be consistent with the new definition of default (NDoD) in accordance with Article 178 of Regulation (EU) No 575/2013 (CRR) that applies in the prudential area. The incorporation of these complementary indicators has led to a one-off increase in the balance of non-performing loans and thus an effect on the NPL ratio and the NPL coverage ratio. In view of the above and the recurring trend, the Group’s main credit risk indicators behaved as follows:
- Credit risk has increased by 1.2% in the quarter (+3.5% at constant exchange rates). At constant exchange rates and at the Group level, there was a generalized increase in this metric during the quarter, led by Spain and Rest of Business (originating from certain wholesale operations), with increases in Mexico, Turkey and South America (highlighting Argentina and Colombia). Compared to the end of December 2020, credit risk increased by 2.5% (+5.3% at constant exchange rates, with growth in all geographical areas except Chile and Peru).
- The balance of non-performing loans (NPL) increased in the fourth quarter of the year (+3.9% in current terms and 5.8% at constant rates) in practically all geographical areas, as a result of the aforementioned implementation of the new definition of default. Compared to the end of 2020, the balance decreased by 0.1% (+3.6% at constant exchange rates) with decreasing NPL flows in the first three quarters of the year supported by contained inflows and positive recoveries, and a fourth quarter impacted by the implementation of the aforementioned new definition of default.
NON-PERFORMING LOANS (1) AND PROVISIONS (1) (MILLIONS OF EUROS)
(1) Excludes BBVA USA and the rest of the companies in the United States sold to PNC on June 1, 2021.
- The NPL ratio stood at 4.1% as of December 31, 2021 (4.0% in September 2021), 10 basis points below the figure recorded in December 2020. Excluding the effect of introduction of the new definition of default, the NPL ratio would have been around 3.8% as of December 2021, which is 45 basis points below the figure recorded at the end of 2020.
- Loan-loss provisions decreased by 8.4% compared to December 2020 (-3.0% in the quarter) as a result of the NPL management carried out during the year coupled with an increase in write-offs.
- The NPL coverage ratio amounted to 75%, -682 basis points in contrast with the end of 2020. Compared to the previous quarter, the NPL coverage ratio was -533 basis points lower.
- The cumulative cost of risk as of December 30, 2021 stood at 0.93% (62 basis points below the end of 2020 and +1 basis point compared to September 2021).
NPL (1) AND NPL COVERAGE (1) RATIOS AND COST OF RISK (1) (PERCENTAGE)
(1) Excluding BBVA USA and the rest of the companies in the United States sold to PNC on June 1, 2021.
CREDIT RISK(1) (MILLIONS OF EUROS)
|NPL ratio (%)||4.1||4.0||4.2||4.3||4.2|
|NPL coverage ratio (%) (2)||75||80||77||81||82|
General note: figures excluding BBVA USA and the rest of the companies in the United States sold to PNC on June 1, 2021, for the periods of 2021 and December 2020, and the classification of BBVA Paraguay as non-current assets and liabilities held for sale for December 2020.
(1) Include gross loans and advances to customers plus guarantees given.
(2) The NPL coverage ratio includes the valuation adjustments for credit risk during the expected residual life of those financial instruments which have been acquired (mainly originated from the acquisition of Catalunya Banc, S.A.). Excluding these allowances, the NPL coverage ratio would stand at 73% as of December 31, 2021 and 79% as of December 31, 2020.
NON-PERFORMING LOANS EVOLUTION (MILLIONS OF EUROS)
|Exchange rate differences and other||(228)||(80)||(55)||(36)||31|
|Non performing guarantees given||786||637||663||681||743|
General note: figures excluding BBVA USA and the rest of the companies in the United States sold to PNC on June 1, 2021, for the periods of 2021 and the fourth quarter of 2020, and the classification of BBVA Paraguay as non-current assets and liabilities held for sale for the the fourth quarter of 2020.
(1) Preliminary data.
4.3 Market risk
For further information, see Note 7.4 of the Consolidated Financial Statements.
4.4 Structural risks
Liquidity and funding
Liquidity and funding management at BBVA aims to finance the recurring growth of the banking business at suitable maturities and costs, using a wide range of instruments that provide access to a large number of alternative sources of financing. In this context, it is important to notice that, given the nature of BBVA's business, the funding of lending activity is fundamentally carried out through the use of stable customer funds.
Due to its subsidiary-based management model, BBVA is one of the few major European banks that follows the Multiple Point of Entry (MPE) resolution strategy: the parent company sets the liquidity policies, but the subsidiaries are self-sufficient and responsible for managing their own liquidity and funding (taking deposits or accessing the market with their own rating), without fund transfers or financing occurring between either the parent company and the subsidiaries or between the different subsidiaries. This strategy limits the spread of a liquidity crisis among the Group's different areas and ensures that the cost of liquidity and financing is correctly reflected in the price formation process.
In view of the initial uncertainty caused by the outbreak of COVID-19 in March 2020, different central banks provided a joint response through specific measures and programs, some of which have been extended into 2021 to facilitate the financing of the real economy and the provision of liquidity in the financial markets, supporting the soundness of liquidity buffers in all geographical areas.
The BBVA Group maintains a solid liquidity position in every geographical area in which it operates, with liquidity ratios well above the minimum required:
- The BBVA Group's liquidity coverage ratio (LCR) remained comfortably above 100% throughout 2021, and stood at 165% as of December 31, 2021. For the calculation of this ratio, it is assumed that there is no transfer of liquidity among subsidiaries; i.e. no type of excess liquidity levels in foreign subsidiaries are considered in the calculation of the consolidated ratio. When considering these excess liquidity levels, the BBVA Group's LCR would stand at 213%.
- The net stable funding ratio (NSFR), defined as the ratio between the amount of stable funding available and the amount of stable funding required, demands banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet activities. This ratio should be at least 100% at all times. The BBVA Group's NSFR ratio, calculated based on the criteria established in the Regulation (UE) 2019/876 of the European Parliament and of the Council of May 20, 2019, with entry into force in June 2021, stood at 135% as of December 31, 2021.
The breakdown of these ratios in the main geographical areas in which the Group operates is shown below:
LCR AND NSFR RATIOS (PERCENTAGE. 31-12-21)
|Eurozone (1)||Mexico||Turkey||South America|
|LCR||190||245||211||All countries >100|
|NSFR||126||149||162||All countries >100|
(1) Perimeter: Spain + the rest of the Eurozone where BBVA has presence.
One of the key elements in BBVA's Group liquidity and funding management is the maintenance of large high quality liquidity buffers in all the geographical areas where the Group operates. In this respect, the Group has maintained for the last 12 months an average volume of high quality liquid assets (HQLA) accounting to €138,2 billion, among which, 93% correspond to maximum quality assets (LCR Tier 1).
The most relevant aspects related to the main geographical areas are the following:
- In the Eurozone, BBVA has continued to maintain a sound position with a large high-quality liquidity buffer. During 2021, commercial activity has drawdown liquidity amounting to approximately €9 billion due to the increase in lending activity, especially in the last quarter of the year, as well as the decrease in the volume of deposits, mainly wholesale. It should also be noted that in the second quarter of 2021, the payment of the BBVA USA sale transaction was collected. In addition, in March 2021, BBVA S.A. took part in the TLTRO III liquidity window program to take advantage of the improved conditions announced by the European Central Bank (ECB) in December 2020, with an amount drawn of €3.5 billion that, together with the €34.9 billion available at the end of December 2020 , amount to €38.4 billion at the end of December 2021.
- In BBVA Mexico, commercial activity has provided liquidity between January and December 2021 in the amount of approximately 73 billion Mexican pesos, derived from a higher growth in customer funds compared to the growth in lending activity. This increased liquidity is expected to be reduced due to the recovery in lending activity expected in 2022. This solid liquidity position has allowed to carry out an efficient policy in the cost of funding, in an environment of higher interest rates. In terms of wholesale issuances, there was no need to refinance any maturities in 2021, having matured in 2021 a subordinated issue amounting to USD 750m and a senior issue amounting to 4,500 million Mexican pesos.
- In the fourth quarter, the Central Bank of the Republic of Turkey made a series of cuts in benchmark rates, despite the increases in the inflation rate, for a total of 400 basis points to 14%, triggering an adverse reaction from the markets and severe currency depreciation. In order to alleviate the depreciation of the currency, during the month of December, the Turkish government implemented a new mechanism to encourage local currency deposits. During 2021, the lending gap in local currency has widened, with a higher increase in loans than in deposits, while the lending gap in foreign currency has narrowed, due to a decline in loans and an increase in deposits. Garanti BBVA continues to maintain a stable liquidity position with comfortable ratios.
- In South America, the liquidity situation remains adequate throughout the region, despite the fact that central banks in the region have started rate hike cycles and withdrawal of stimulus programs that mitigate the impact of the COVID-19 crisis. In Argentina, liquidity in the system and in BBVA continues to increase due to the higher growth in deposits than in loans in local currency. In BBVA Colombia, activity picks up accompanied by the growth in deposits. BBVA Peru maintains solid levels of liquidity, while reducing excess liquidity due to growth in lending activity, combined with a contraction of deposits, following a costs control strategy.
The main wholesale financing transactions carried out by the companies of the BBVA Group are listed below:
- In March 2021, BBVA S.A. issued a senior preferred debt for an amount of €1 billion, with a maturity of 6 years and an option for early redemption after five years. In September 2021, BBVA S.A. issued a floating rate senior preferred bond totaling €1 billion and maturing in 2 years, the fifth issue made by BBVA linked to environmental, social and governance (ESG) criteria. Additionally, in January 2022, BBVA S.A. issued a €1 billion senior non-preferred bond, with a maturity of 7 years and an option for early redemption in the sixth year, with a coupon of 0.875%.
- In Turkey, there have been no issuances in 2021. The Bank renewed its syndicated loans in June and November, indexed to sustainability criteria. On June 2, BBVA Garanti renewed 100% of a syndicated loan, formed by two separate tranches, amounting to USD 279m and €294m, with a 1-year maturity and a cost of Libor +2.50% and Euribor +2.25%, respectively. In November, the Bank renewed 100% of the second tranche of the mentioned loan, for USD 365m and €247m, at a cost of Libor + 2.15% and Euribor + 1.75% respectively.
- In South America, BBVA Uruguay issued in February 2021 the first sustainable bond on the Uruguayan financial market for USD 15m at an initial interest rate of 3.854%.
Foreign exchange risk management of BBVA's long-term investments, principally stemming from its overseas franchises, aims to preserve the Group's capital adequacy ratio and ensure the stability of its income statement.
BBVA maintains its policy of actively hedging its main investments in emerging markets, covering on average between 30% and 50% of annual earnings and around 70% of the CET1 capital ratio surplus. The closing of the sale of BBVA USA in June has modified the Group's CET1 fully-loaded ratio sensitivity to changes in the currencies. The most affected sensitivity by this change has been the U.S. dollar, which stands at around +18 basis points in the face of a 10% depreciation in the currency. The sensitivity of the Mexican peso is estimated at -7 basis points at the end of December 2021 and -1 basis point in the case of the Turkish lira, both currencies estimated against a depreciation of 10%. With regard to coverage levels of the expected results for 2022 is close to 65% in the case of Mexico, 20% in Turkey and 100% in Peru and Colombia.
Interest rate risk management seeks to limit the impact that BBVA may suffer, both in terms of net interest income (short-term) and economic value (long-term), from adverse movements in the interest rate curves in the various currencies in which the Group operates. BBVA carries out this work through an internal procedure, pursuant to the guidelines established by the European Banking Authority (EBA), in order to analyze the potential impact that could derive from a range of scenarios on the Group's different balance sheets.
The model is based on assumptions intended to realistically mimic the behavior of the balance sheet. Of particular relevance are assumptions regarding the behavior of accounts with no explicit maturity and prepayment estimates. These assumptions are reviewed and adapted at least once a year to take into account any changes in observed behavior.
At the aggregate level, BBVA continues to maintain a moderate risk profile, in accordance with the established objective, showing positive sensitivity toward interest rate increases in the net interest income. Effective management of structural balance sheet risk has mitigated the negative impact of the downward trend in interest rates and the volatility experienced as a result of the effects of COVID-19, and is reflected in the soundness and recurrence of net interest income.
At the market level, the fourth quarter of 2021, has seen flattening of the main sovereign curves in developed countries (mainly due to higher increases in the short sections of the curve), resulting from biases towards more restrictive monetary policies of central banks in the face of higher inflation levels (especially in the United States). With regard to the emerging world, similar flattening moves, continuing with the rate hike cycle, even accelerating the pace in many of the countries (with the exception of Turkey, which dropped 400 basis points in total at the October, November and December meetings).
By area, the main features are:
- Spain has a balance sheet characterized by a high proportion of variable-rate loans (basically mortgages and corporate lending) and liabilities composed mainly of customer demand deposits. The ALCO portfolio acts as a management lever and hedging for the bank's balance sheet, mitigating its sensitivity to interest rate fluctuations. The balance sheet interest rate risk profile remained stable during the year, showing a positive net interest income sensitivity to 100 basis points increases by the interest rates slightly above 20%.
- On the other hand, the ECB held the marginal deposit facility rate unchanged at -0.50% during the year and maintained the extraordinary support programs created due to the COVID-19 crisis (in December it announced the end in March 2022 of its Pandemic Emergency Purchase Program, which was launched at the outbreak of the pandemic). This has created stability in European benchmark interest rates (Euribor) throughout 2021. In this sense, customer spread keeps pressured by the low interest rates environment.
- Mexico continues to show a balance between fixed and variable interest rates balances. In terms of assets that are most sensitive to interest rate fluctuations, the commercial portfolio stands out, while consumer loans and mortgages are mostly at a fixed rate. The ALCO portfolio is invested primarily in fixed-rate sovereign bonds with limited maturities. Net interest income sensitivity continues to be limited, registering a positive impact against 100 basis points increases in the Mexican peso, which is around 2%. The monetary policy rate stands at 5.50%, higher that at the end of 2020 (4.25%), after a 25 basis points reduction during the first quarter of 2021 and increases of 150 basis points since the June meeting. Regarding the consumer spread, an improvement can be appreciated during 2021, a trend which should continue due to the higher interest rates environment.
- In Turkey, the sensitivity of loans, which are mostly fixed-rate but with relatively short maturities, and the ALCO portfolio balance the sensitivity of deposits on the liability side. The interest rate risk is thus limited, both in Turkish lira and in foreign currencies. With regard to benchmark rates, there was an increase of 200 basis points in the first quarter compared to the level seen in December 2020; during the second quarter the benchmark rates remained unchanged; and, in the third and fourth quarters saw a reversal of the trend, with reductions of 100 and 400 basis points, respectively. The customer spread in Turkish lira has improved in 2021 in a volatile environment.
- In South America, the interest rate risk profile remains low as most countries in the area have a fixed/variable composition and maturities that are very similar for assets and liabilities, with limited net interest income sensitivity. In addition, in balance sheets with several currencies, interest rate risk is managed for each of the currencies, showing a very low level of risk. Regarding the benchmark rates of the central banks of Peru and Colombia, a rising trend in rates began in the third quarter of 2021, with increases of 225 and 125 basis points, respectively, throughout the second half of the year. There has been little change in customer spreads during the year, which are expected to improve in an environment of higher interest rates.
INTEREST RATES (PERCENTAGE)
|Official ECB rate||0.00||0.00||0.00||0.00||0.00||0.00||0.00||0.00|
|Euribor 3 months (1)||(0.58)||(0.55)||(0.54)||(0.54)||(0.54)||(0.49)||(0.38)||(0.42)|
|Euribor 1 year (1)||(0.50)||(0.49)||(0.48)||(0.49)||(0.50)||(0.41)||(0.15)||(0.27)|
|USA Federal rates||0.25||0.25||0.25||0.25||0.25||0.25||0.25||0.25|
(1) Calculated as the month average.
4.5 Risks associated with climate change
The risks related to climate change are considered as an additional factor which affects the risk categories already identified and defined in the BBVA Group and are therefore managed through the Groups risk management frameworks (credit, market, liquidity, operational and other non-financial risks). As a consequence, the BBVA Group’s climate change risk-related is based on their incorporation into the currently processes and governance established, considering the regulation and supervisory trends.
The information on the management of risks associated with climate change required by Law 7/2021, of May 20, on climate change and energy transition, is described in section 2.3.5 of the Chapter "Report on climate change and other environmental and social issues” of this report.
4.6 Operational Risk
BBVA defines operational risk (“OR”) as any risk that could result in losses caused by human error; inadequate or flawed internal processes; undue conduct with respect to customers, markets or the institution; antimoney laundering and financing of terrorist activities; failures, interruptions or flaws in systems or communications; theft, loss or wrong use of information, as well as deterioration of its quality, internal or external fraud, including in any case those derived from cyberattacks; theft or harm to assets or persons; legal risks; risks derived from staff management and labor health; and defective service provided by suppliers; as well as damages from extreme climate events, pandemics and other natural disasters.
Operational risk management is oriented towards the identification of the root causes to avoid their occurrence and mitigate possible consequences. This is carried out through the establishment of control framework and monitoring and the development of mitigation plans aimed at minimizing resulting economic and reputational losses and their impact on the recurrent generation of results, and contributing the increase the quality, safety and availability of the provided service. Operational risk management is integrated into the global risk management structure of the BBVA Group.
This section addresses general aspects of operational risk management as the main component of non-financial risks. However, sections devoted to conduct and compliance risk and to cybersecurity risk management are also included in the non-financial information report.
Operational risk management principles
The BBVA Group is committed to preferably applying advanced operational risk management models, regardless of the capital calculation regulatory model applicable at the time. Operational risk management at the BBVA Group shall:
- Be aligned with the Risk Appetite Framework ratified by the BBVA Board of Directors.
- Address BBVA's management needs in terms of compliance with legislation, regulations and industry standards, as well as the decisions or positioning of BBVA's corporate bodies.
- Anticipate the potential operational risk to which the Group may be exposed as a result of the creation or modification of products, activities, processes or systems, as well as decisions regarding the outsourcing or hiring of services, and establish mechanisms to assess and mitigate risk to a reasonable extent prior to implementation, as well as review the same on a regular basis.
- Establish methodologies and procedures to enable regular reassessment of the significant operational risk to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, once the identified risk and the cost of mitigation (cost/benefit analysis) have been considered, while safeguarding the Group's solvency at all times.
- Promote the implementation of mechanisms that support careful monitoring of all sources of operational risk and the effectiveness of mitigation and control environments, fostering proactive risk management.
- Examine the causes of any operational events suffered by the Group and establish means to prevent the same, provided that the cost/benefit analysis so recommends. To this end, procedures must be in place to evaluate operational events and mechanisms and to record the operational losses that may be caused by the same.
- Evaluate key public events that have generated operational risk losses at other institutions in the financial sector and support, where appropriate, the implementation of measures as required to prevent them from occurring at the Group.
- Identify, analyze and attempt to quantify events with a low probability of occurrence and a high impact, which by their exceptional nature may not be included in the loss database; or if they are, feature with impacts that are not very representative for the purpose of valuing possible mitigation measures.
- Have an effective system of governance in place, where the functions and responsibilities of the corporate areas and bodies involved in operational risk management are clearly defined.
- Operational risk management must be performed in coordination with management of other risk, taking into consideration credit or market events that may have an operational origin.
Operational risk control and management model
The operational risk management cycle at BBVA is similar to the one implemented for the rest of risks. Its elements are:
Operational risk management parameters
Operational risk forms part of the risk appetite framework of the Group and includes three types of metrics and limits:
- Economic capital calculated with the operational losses database of the Group, considering the corresponding diversification effects and the additional estimation of potential and emerging risks through stress scenarios designed for the main types of risks. The economic capital is regularly calculated for the main banks of the Group and simulation capabilities are available to anticipate the impact of changes on the risk profile or new potential events.
- ORI metrics (Operational Risk Indicator: operational risk losses vs. gross income) broken down by geography, business area and type of risk.
- Indicators by risk type: a more granular common scheme of metrics (indicators and limits) covering the main types of operational risk is being implemented throughout the Group. These metrics make it possible to intensify the anticipatory management of risk and objectify the appetite to different sources. These indicators are regularly reviewed and adjusted to fix the main risks in force at any time.
Operational risk admission
The main purposes of the operational risk admission phase are the following:
- To anticipate potential operational risk to which the Group may be exposed due to the release of new, or modification of existing, products, activities, processes or systems, as well as purchasing decisions (e.g. outsourcing).
- To ensure that implementation and the roll out of initiatives is only performed once appropriate mitigation measures have been taken in each case, including external assurance of risks where deemed appropriate.
The Corporate Non-Financial Risk Management Policy sets out the specific operational risk admission framework through different committees, both at a corporate and Business Area level, that follow a delegation structure based on the risk level of proposed initiatives.
Operational risk monitoring
The purpose of this phase is to check that the target operational risk profile of the Group is within the authorized limits. Operational risk monitoring considers 2 scopes:
- Monitoring the operational risk admission process, oriented towards checking that accepted risks levels are within the limits and that defined controls are effective.
- Monitoring the operational risk "stock" mainly associated with processes. This is done by carrying out a periodic re- evaluation in order to generate and maintain an updated map of the relevant operational risks in each Area, and evaluate the adequacy of the monitoring and mitigation environment for said risks. This promotes the implementation of action plans to redirect the weaknesses detected.
This process is supported by a corporate Governance, Risk & Compliance tool that monitors the operational risk at a local level and its aggregation at a corporate level.
In addition, and in line with the best practices and recommendations provided by the Bank for International Settlements (hereinafter, BIS), BBVA has procedures to collect the operational losses occurred both in the different entities of the Group and in other financial groups, with the appropriate level of detail to carry out an effective analysis that provides useful information for management purposes and to contrast the consistency of the Group's operational risks map. To that end, a corporate tool of the Group is used.
The Group ensures continuous monitoring by each Area of the due functioning and effectiveness of the control environment, taking into consideration management indicators established for the Area, any events and losses that have occurred, as well as the results of actions taken by the second line of defense, the internal audit unit, supervisors or external auditors.
Operational risk mitigation
The Group promotes the proactive mitigation of the financial risks to which it is exposed and which are identified in the monitoring activities.
In order to rollout common monitoring and anticipated mitigation practices throughout the Group, several cross-sectional plans are being promoted related to focuses from events, lived by the Group or by the industry, self-assessments and recommendations from auditors and supervisors in different geographies, thereby analyzing the best practices at these levels and fostering comprehensive action plans to strengthen and standardize the control environment.
Assurance of operational risk
Assurance is one of the possible options for managing the operational risk to which the Group is exposed, and mainly has two potential purposes:
- Coverage of extreme situations linked to recurrent events that are difficult to mitigate or can only be partially mitigated by other means.
- Coverage of non-recurrent events that could have significant financial impact, if they occurred.
The Group has a general framework that regulates this area, and allows systematizing risk assurance decisions, aligning insurance coverage with the risks to which the Group is exposed and reinforcing governance in the decision-making process of arranging insurance policies.
Operational risk control model
BBVA Group's operational risk governance model is based on two components:
- Three-line defense control model, in line with industry best practices, and which guarantees compliance with the most advanced operational risk internal control standards.
- Scheme of Corporate Assurance Committees and Internal Control and Operational Risk Committees at the level of the different business and support areas.
Corporate Assurance establishes a structure of committees, both at local and corporate level, to provide senior management with a comprehensive and homogeneous vision of the main non-financial risks and significant situations of the control environment. The aim is to support rapid decision-making with foresight, for the mitigation or assumption of the main risks.
Each geography has a Corporate Assurance Committee chaired by the Country Manager and whose main functions are:
- Monitoring the changes in the non-financial risks and their alignment with the defined strategies and policies and the risk appetite.
- Analyzing and assessing controls and measures established to mitigate the impact of the risks identified, should they materialize.
- Making decisions about the proposals for risk taking that are conveyed by the working groups or that arise in the Committee itself
- Promoting transparency by promoting the proactive participation of the three lines of defense in discharging their responsibilities and the rest of the organization in this area.
At the holding level there is a Global Corporate Assurance Committee, chaired by the Group's Chief Executive Officer. Its main functions are similar to those already described but applicable to the most important issues that are escalated from the geographies and the holding company areas.
The business and support areas have an Internal Control and Operational Risk Committee, whose purpose is to ensure the due implementation of the operational risk management model within its scope of action and drive active management of such risk, taking mitigation decisions when control weaknesses are identified and monitoring the same.
Additionally, the Non-Financial Risk unit periodically reports the status of the management of non-financial risks in the Group to the Board's Risk and Compliance Committee.
4.7 Reputational risk
Reputational risk assessment
Since 2016, BBVA disposes of a reputational risk assessment methodology. Through this methodology, the Bank defines and reviews regularly a map in which it prioritizes the reputational risks which have to be faced and the set of action plans to mitigate them. The prioritization is done based on two variables: the impact on the perception of the stakeholders and the strength of BBVA facing the risk.
This exercise is performed annually in all countries where the Group has bank entities. Following the result of the assessment carried out in 2020, 17 mitigation action plans have been conducted during 2021.
Identification of the Reputational Risk
The Responsible Business teams collaborate, together with the rest of the members of BBVA’s second defense line, in the different Committees of Admission of the Operational Risk, both at Group and the different geographical areas level. Those Committees perform the initial identification of potential reputational risks, and, where appropriate, an assessment of the foreseeable impact on BBVA’s reputation,
Reporting of the Reputational Risk
The results of the annual assessment of the Reputational Risk are reported in each geographical area at the appropriate governance level. At Group level, these results are reported to the Global Corporate Assurance Committee and, since 2020, to the Board’s Executive Committee.
4.8 Risk factors
BBVA Group has processes in place for identifying risks and analyzing scenarios in order to enable the Group to manage risks in a dynamic and proactive way.
The risk identification processes are forward looking to seek the identification of emerging risks and take into account the concerns of both the business areas, which are close to the reality of the different geographical areas, and the corporate areas and senior management.
Risks are identified and measured consistently using the methodologies deemed appropriate in each case. Their measurement includes the design and application of scenario analyzes and stress testing and considers the controls to which the risks are subjected.
As part of this process, a forward projection of the Risk Appetite Framework (RAF) variables in stress scenarios is conducted in order to identify possible deviations from the established thresholds. If any such deviations are detected, appropriate measures are taken to keep the variables within the target risk profile.
In this context, there are a number of emerging risks that could affect the evolution of the Group's business. These risks are included in the following blocks:
Risk associated with COVID-19 pandemic
The COVID-19 (coronavirus) pandemic has adversely affected the world economy, and economic activity and conditions in the countries in which the Group operates. Despite the gradual improvement experienced in 2021 driven by the increase in the rate of vaccination, new waves of contagion continue to be a source of concern and the emergence of new strains remains a risk. Among other challenges, these countries are still dealing with high unemployment levels, weak activity, supply disruptions and increasing inflationary pressures, while public debt has increased significantly due to the support and spending measures implemented by the government authorities. Furthermore, there has been an increase in loan losses from both companies and individuals, which has so far been slowed down by the impact of government support measures, including bank payment deferrals, credit with public guarantee and direct aid measures. Likewise, volatility in the financial markets has affected exchange rates - mainly in emerging economies- and the value of assets and investments, which has adversely affected the Group's results in the past, and could do so again. There are still uncertainties about the final future impact of the COVID-19 pandemic, mainly if there is an increase in infections caused by the new variants of the coronavirus.
Furthermore, the Group has been and may be affected during the following quarters or years by the measures or recommendations adopted by regulatory authorities in the banking sector, such as variations in reference interest rates, the modification of prudential requirements, the temporary suspension of dividend payments, the modification of the deferral of monthly installments for certain loans and the granting of guarantees or public guarantees to new credit operations for companies and self-employed persons, the adoption of further similar measures or the termination of those already approved, as well as any changes in financial assets purchase programs by the ECB.
Since the outbreak of the pandemic, the Group has experienced a decline in its activity. For example, the granting of new loans to individuals has generally decreased. In addition, the Group faces various risks, such as an increased risk of volatility in the value of its assets (including financial instruments valued at fair value, which may suffer significant fluctuations) and of the securities held for liquidity reasons, a possible increase in the NPL ratio and risk-weighted assets, as well as a negative impact on the Group's cost of financing and on its access to financing (especially in an environment where credit ratings are affected). Following the generalized lifting of mobility restrictions and the increasing resumption of normal operations, greater emphasis is being placed on the particular circumstances of each customer, in addition to its respective industry or sector.
Furthermore, the pandemic could continue to adversely affect the business and transactions of third parties that provide critical services to the Group and, in particular, the higher demand and/or the lower availability of certain resources could, in some cases, make it more difficult for the Group to maintain the required service levels. In addition, the widespread use of remote work has increased the risks related to cybersecurity, as the use of non-corporate networks has increased.
In summary, while the COVID-19 pandemic had adverse effects on the Group's results and capital base during 2020, these were mitigated throughout 2021, with improvements in the global economic background leading to a strong improvement in 2021 results.
Macroeconomic and geopolitical risks
In 2021 the global economy has grown significantly, recovering in part from the crisis caused by the pandemic, which caused a sharp fall in global GDP in 2020. The significant upturn in global growth has been due to progress in the vaccination against COVID-19 and important economic stimuli adopted by public authorities.
Activity indicators show, however, that the economic recovery process has lost momentum in recent months. The recent slowdown in economic growth is taking place in an environment marked by a sharp increase in infections caused by new variants of the COVID-19, although the increasing immunization of the world population has helped to generally prevent the adoption of mobility restrictions, which would have had a greater impact on the economy.
The effects of reduced production due to the pandemic and its persistence, coupled with fiscal stimuli and strong demand for goods, once restrictions have been lifted, contribute to maintaining the problems in global supply chains observed since the beginning of 2021 which, in addition to negatively affecting economic activity, generate significant upward pressure on prices.
Against this backdrop, annual inflation in December 2021 stood at 7.0% in the United States and 5.0% in the Eurozone. In both geographical areas, long-term inflation expectations from markets and surveys have been adjusted upwards, although in the case of the Eurozone they remain generally below the European Central Bank’s (hereinafter, ECB) 2% target.
High inflation rates and their increased persistence have put pressure on central banks to withdraw monetary stimuli earlier than they had originally anticipated. The United States Federal Reserve, in particular, has begun the rollback in its bond-buying program and has suggested that monetary policy interest rates will adjust upwards earlier and faster than expected by financial markets and financial analysts, and also that a downsizing of its balance sheet may soon begin. In the Eurozone, the ECB will complete the pandemic emergency purchase program (PEPP) in March 2022. Although the asset purchase program (APP) is maintained, asset purchases will be moderated over the course of 2022. However, unlike the Federal Reserve, the ECB has continued to maintain that it rules out an increase in benchmark interest rates in 2022.
According to BBVA Research, the global economic recovery process is expected to continue in the coming months, albeit at a slightly slower pace than expected in autumn of 2021, due to the persistence of the pandemic, but also due to a higher-than-estimated impact of supply chain problems and inflationary pressures. All this against a background of reduced fiscal and monetary stimulus. GDP growth would therefore moderate, from an estimated 5.6% in 2021 to about 4.2% in 2022 in the United States, from 5.1% in 2021 to 3.7% in 2022 in the Eurozone and from 8.0% in 2021 to 5.2% in 2022 in China. The likely rise in monetary policy interest rates in the United States, which could reach 1.25% by the end of 2022, as well as a progressive control of the pandemic and a moderation of supply chain problems, would allow inflation to be moderated throughout the year; although inflation is expected to remain high, particularly in the United States. Risks arising from this economic scenario expected by BBVA Research are significant and are biased downwards in the case of activity, and include more persistent inflation, financial turbulence caused by a more aggressive withdrawal of monetary stimuli, the emergence of new variants of the coronavirus that bypass current vaccines, a more intense slowdown in the Chinese economy, as well as social and geopolitical tensions. Likewise, the countries in which the Group operates face various idiosyncratic risks, beyond those related to the global environment.
Regulatory and reputational risks
Financial institutions are exposed to a complex and ever-changing regulatory environment defined by governments and regulators. This can affect their ability to grow and the capacity of certain businesses to develop, and result in stricter liquidity and capital requirements with lower profitability ratios. The Group constantly monitors changes in the regulatory framework that allow for anticipation and adaptation to them in a timely manner, adopt industry practices and more efficient and rigorous criteria in its implementation.
The financial sector is under ever closer scrutiny by regulators, governments and society itself. In the course of activities, situations which might cause relevant reputational damage to the entity could raise and might affect the regular course of business. The attitudes and behaviors of the Group and its members are governed by the principles of integrity, honesty, long-term vision and industry practices through, inter alia, the internal control model, the Code of Conduct, the Corporate Principles in tax matters and Responsible Business Strategy of the Group.
Business, operational and legal risks
New technologies and forms of customer relationships: Developments in the digital world and in information technologies pose significant challenges for financial institutions, entailing threats (new competitors, disintermediation, etc.) but also opportunities (new framework of relations with customers, greater ability to adapt to their needs, new products and distribution channels, etc.). Digital transformation is a priority for the Group as it aims to lead digital banking of the future as one of its objectives.
Technological risks and security breaches: The Group is exposed to new threats such as cyber-attacks, theft of internal and customer databases, fraud in payment systems, etc. that require major investments in security from both the technological and human point of view. The Group gives great importance to the active operational and technological risk management and control.
Regarding legal risks, the financial sector faces an environment of increasing regulatory and litigious pressure, and thus, the various Group entities are usually party to individual or collective judicial proceedings (including class actions) resulting from their activity and operations, as well as arbitration proceedings. The Group is also party to other government procedures and investigations, such as those carried out by the antitrust authorities in certain countries which, among other things, have in the past and could in the future result in sanctions, as well as lead to claims by customers and others. In addition, the regulatory framework, in the jurisdictions in which the Group operates, is evolving towards a supervisory approach more focused on the opening of sanctioning proceedings while some regulators are focusing their attention on consumer protection and behavioral risk.
In Spain and in other jurisdictions where the Group operates, legal and regulatory actions and proceedings against financial institutions, prompted in part by certain judgments in favor of consumers handed down by national and supranational courts (with regards to matters such as credit cards and mortgage loans), have increased significantly in recent years and this trend could continue in the future. The legal and regulatory actions and proceedings faced by other financial institutions in relation to these and other matters, especially if such actions or proceedings result in favorable resolutions for the consumer, could also adversely affect the Group.
All of the above may result in a significant increase in operating and compliance costs or even a reduction of revenues, and it is possible that an adverse outcome in any proceedings (depending on the amount thereof, the penalties imposed or the procedural or management costs for the Group) could damage the Group's reputation, generate a knock-on effect or otherwise adversely affect the Group.
It is difficult to predict the outcome of legal and regulatory actions and proceedings, both those to which the Group is currently exposed and those that may arise in the future, including actions and proceedings relating to former Group subsidiaries or in respect of which the Group may have indemnification obligations. Any of such outcomes could be significantly adverse to the Group. In addition, a decision in any matter, whether against the Group or against another credit entity facing similar claims as those faced by the Group, could give rise to other claims against the Group. In addition, these actions and proceedings attract resources from the Group and may occupy a great deal of attention on part of the Group's management and employees.
As of December 31, 2021, the Group had €623 million in provisions for the proceedings it is facing (included in the line "Provisions for litigation and pending tax cases" in the consolidated balance sheet) (see Note 24), of which €533 million correspond to legal contingencies and €90 million to tax related matters. However, the uncertainty arising from these proceedings (including those for which no provisions have been made, either because it is not possible to estimate them or for other reasons) makes it impossible to guarantee that the possible losses arising from these proceedings will not exceed, where applicable, the amounts that the Group currently has provisioned and, therefore, could affect the Group's consolidated results in a given period.
As a result of the above, legal and regulatory actions and proceedings currently faced by the Group or to which it may become subject in the future or otherwise affected by, individually or in the aggregate, if resolved in whole or in part adversely to the Group's interests, could have a material adverse effect on the Group’s business, financial condition and results of operations.
Spanish judicial authorities are investigating the activities of Centro Exclusivo de Negocios y Transacciones, S.L. (Cenyt). Such investigation includes the provision of services by Cenyt to the Bank. On 29th July, 2019, the Bank was named as an investigated party (investigado) in a criminal judicial investigation (Preliminary Proceeding No. 96/2017 – Piece No. 9, Central Investigating Court No. 6 of the National High Court) for alleged facts which could be constitutive of bribery, revelation of secrets and corruption. On February 3, 2020, the Bank was notified by the Central Investigating Court No. 6 of the National High Court of the order lifting the secrecy of the proceedings. Certain current and former officers and employees of the Group, as well as former directors have also been named as investigated parties in connection with this investigation. The Bank has been and continues to be proactively collaborating with the Spanish judicial authorities, including sharing with the courts the relevant information obtained in the internal investigation hired by the entity in 2019 to contribute to the clarification of the facts. As of the date of the approval of the Consolidated Financial Statements, no formal accusation against the Bank has been made.
This criminal judicial proceeding is at the pre-trial phase. Therefore, it is not possible at this time to predict the scope or duration of such proceeding or any related proceeding or its or their possible outcomes or implications for the Group, including any fines, damages or harm to the Group’s reputation caused thereby.