4. Risk management

4.1. General risk management and control model

The BBVA Group has a general risk management and control model (hereinafter, the “Model”) that is appropriate for its business model, its organization, the countries where it operates and its corporate governance system. This model allows the Group to carry out its activity within the management and risk control strategy and policy defined by the corporate bodies of BBVA (considering sustainability specifically) and to adapt itself to a changing economic and regulatory environment, facing this management at a global level and aligned to the circumstances at all times.

The Model, for which the Group’s Chief Risk Officer (CRO) is responsible and that must be updated or reviewed at least annually, is fully applied in the Group and it comprises the following basic elements:

  • Governance and organization
  • Risk Appetite Framework
  • Assessment, monitoring and reporting
  • Infrastructure.

The Group promotes the development of a risk culture that ensures a consistent application of the Model in the Group, and that guarantees that the risks function is understood and internalized at all levels of the organization.

4.1.1 Governance & organization

The risk governance model in the BBVA Group is characterized by a special involvement of its corporate bodies, both in setting the risk strategy and in monitoring and supervising its implementation on an ongoing basis.

Thus, and as explained below, the corporate bodies are responsible for approving the risk strategy and the general policies for the different types of risks. Global Risk Management (hereinafter, GRM) and Regulation & Internal Control (including, among other areas, Non-Financial Risks) are the functions responsible for its implementation and development, with the appropriate reporting to corporate bodies.

Responsibility for day-to-day management of risks falls on business and corporate areas, the activities of which adhere to the general policies, regulation, infrastructures and controls that, based on the framework set by corporate bodies, are defined by GRM and Regulation & Internal Control in their corresponding areas of responsibility.

To carry out this work adequately, the financial risks function in the BBVA Group has been set up as a single, global function and independent from commercial areas.

The head of the financial risks function at an executive level, is the Group's Chief Risk Officer, who is appointed by the Board of Directors as a member of its senior management, and reports directly on the development of the corresponding functions to the corporate bodies. The Chief Risk Officer, for the best fulfilment of the functions, is supported by a structure consisting of cross- cutting risk units in the corporate area and specific risk units in the Group's geographical and/or business areas.

In addition, and with regard to non-financial risks and internal control, the Group has a Regulation & Internal Control area independent from the rest of units and whose head (Head of Regulation & Internal Control) is also appointed by the Board of Directors of BBVA and reports directly to corporate bodies on the performance of its functions. This area is responsible for proposing and implementing non-financial risks policies and the Internal Control Model of the Group, and it is composed by, among other, the Non-Financial Risks, Regulatory Compliance and Risk Internal Control units.

The Risk Internal Control unit, within the Regulation & Internal Control area and, therefore, independent from the financial risks function (GRM), acts as a control unit for the activities carried out by GRM. In this regard, and without prejudice to the functions performed in this regard by the Internal Audit area, Risk Internal Control checks that the regulatory framework, the models and processes and established measures are sufficient and appropriate for each type of financial risk. It also monitors its implementation and operation, and confirms that those decisions taken by GRM are taken independently from the business lines and, in particular, that there's an adequate segregation of functions between units.

Governance and organizational structure are basic pillars for ensuring an effective risk management and control. This section summarizes the roles and responsibilities of the corporate bodies in the risks area, of the Group's Chief Risk Officer and, in general, of the risks function, its interrelation and the parent-subsidiary relationship model in this area and the group of committees, in addition to the Risk Internal Control unit.

Corporate Bodies of BBVA

According to the corporate governance system of BBVA, the Board of Directors of the Bank has certain reserved competencies, concerning management, through the implementation of the corresponding most relevant decisions, and concerning supervision and control, through the monitoring and supervision of implemented decisions and management of the Bank.

In addition, to ensure adequate performance of the management and supervision functions of the Board of Directors, the corporate governance system contemplates the support activity carried out by the Risk and Compliance Committee (CRC), as well as by other committees that assist the Board. for reasons of speciality of the matter, in accordance with the functions established in its own regulations.

With regard to risks, the Board of Directors' competencies are those relating to establishing the policy for controlling and managing risk and the oversight and control of its implementation.

In carrying out these functions, the Board relies on the Risk and Compliance Committee, which monitors the evolution of all the Group's financial and non-financial risks, with a global and transversal vision, and their degree of adequacy with the defined strategies and policies and the Group's Risk Appetite Framework. Added to this are the functions regarding specific non-financial risks that, due to their speciality, the Board has assigned to other committees, such as: (i) non-financial risks of an accounting, tax and reporting nature, by the Audit Commission; (ii) technological and cybersecurity risks, by the Technology and Cybersecurity Commission; and (iii) reputational and business risks, by the Permanent Delegate Committee, which thus complement the overall supervision of the Group's set of financial and non-financial risks carried out by the Risk and Compliance Committee, for which purpose It coordinates between the different Board committees through different reports, in addition to the cross composition of the Board committees.

The involvement of the corporate bodies of BBVA in the control and management of the risks of the Group is detailed below:

Board of Directors

The Board of Directors is responsible for establishing the risk strategy of the Group and, in this role, it determines the control and risk management policy, through the following documents:

  • The Risk Appetite Framework of the Group, which includes in the one hand the risk appetite statement of the Group, that is, the general principles governing the risk strategy of the Group and its target profile; and, on the other hand, and based on the above mentioned risk appetite statement, a set of quantitative metrics (core metrics, and their corresponding statements, and by type of risk metrics), reflecting the risk profile of the Group;
  • the framework of management policies of the different types of risk to which the Bank is or could be exposed, which contain the basic lines for managing and controlling risks in a uniform way across the Group and consistently with the Model and Risk Appetite Framework;
  • and the General risk management and control model described above.

All of the above in coordination with the rest of prospective-strategic decisions of the Bank, which includes the Strategic Plan, the Annual Budget, the Capital Plan and the Liquidity & Funding Plan, in addition to the rest of management objectives, whose approval is a responsibility of the Board of Directors.

In addition to defining the risk strategy, the Board of Directors (in the performance of its risks monitoring, management and control tasks) also monitors the evolution of the risks of the Group and of each main geographical and/or business area, ensuring compliance with the Risk Appetite Framework of the Group; and also supervising the internal information and control systems.

For the development of all these functions, the Board of Directors is supported by the CRC and the CDP, which are responsible for the functions detailed below.

Risk and Compliance Committee

The CRC is, according to its own charter, composed of non-executive directors and its main purpose is to assist the Board of Directors on the establishment and monitoring of the risk control and management policy of the Group.

For this purpose, it assists the Board of Directors in a variety of risk control and monitoring areas, in addition to its analysis functions, based on the strategic pillars established at all times by both the Board of Directors and the CDP, the proposals on the strategy, control and risk management of the Group, which are particularly specified in the Risk Appetite Framework and in the “Model”. After the analysis, the Risk Appetite Framework and Model proposal is submitted to the Board of Directors for consideration and, where appropriate, approval purposes.

In addition, the CRC proposes, in a manner consistent with the Risk Appetite Framework of the Group approved by the Board of Directors, the control and management policies of the different risks of the Group, and supervises the information and internal control systems.

With regard to the monitoring of the evolution of the risks of the Group and their degree of compliance with the Risk Appetite Framework and defined general policies, and without prejudice to the monitoring task carried out by the Board of Directors and the CDP, the CRC carries out monitoring and control tasks with greater frequency and receives information with a sufficient granularity to achieve an adequate performance of its duties.

The CRC also analyzes all measures planned to mitigate the impact of all identified risks, should they materialize, which must be implemented by the CDP or the Board of Directors, as the case may be. The CRC also monitors the procedures, tools and measurement indicators of those risks established at a Group level in order to have a comprehensive view of the risks of BBVA and its Group, and monitors compliance with the regulation and supervisory requirements in terms of risks.

The CRC is also responsible for analyzing those project-related risks that are considered strategic for the Group or corporate transactions that are going to be submitted to the Board of Directors of the CDP, within its scope of competence.

In addition, it contributes to the setting of the remuneration policy, checking that it is compatible with an appropriate and effective management of risks and that it does not provide incentives to take risks breaching the level tolerated by the Bank.

Lastly, the CRC ensures the promotion of the risk culture in the Group.

In 2022, the CRC has held 22 meetings.

Executive Committee

In order to have a comprehensive and complete vision of the progress of the Group's business and its business units, the CDP monitors the evolution of the risk profile and the core metrics defined by the Board of Directors, being aware of any potential deviation or breach of the metrics of the Risk Appetite Framework and implementing, when applicable, the appropriate measures, as explained in the Model.

In addition, the CDP is responsible for proposing the basis for developing the Risk Appetite Framework, which will be established in coordination with the rest of prospective/strategic decisions of the Bank and the rest of management objectives.

Lastly, the CDP is the committee supporting the Board of Directors in decisions related to business risk and reputational risk, according to the dispositions set out in its own charter.

In addition, to ensure adequate performance of the management and supervision functions of the Board of Directors, the corporate governance system contemplates the existence of different committees, which assist the Board of Directors in matters that are within its competence, in accordance with the specific regulations of each committee, having established a coordinated work scheme between these corporate bodies.

In terms of risks, the Board of Directors has reserved the powers related to the determination of the risk management and control policy and the supervision and control of its implementation.

BBVA has an internal control model that is structured into three differentiated levels (“lines of defense”), which constitute the organizational structure of the Group's internal control model, whose objective is the integral management of the risk life cycle; all this, in accordance with the best practices developed both in the "Enterprise Risk Management - Integrated Framework" of COSO (Committee of Sponsoring Organizations of the Treadway Commission) and in the "Framework for Internal Control Systems in Banking Organizations" prepared by the Bank Basel International Settlements (BIS):

  • First line of defence: made up of the business, transformation and support areas that report to the Chairman and the CEO, who are in charge of managing operational risks (including process efficiency) in the daily operations of the Bank.
  • Second line of defence: made up of the different units that make up the Regulation and Internal Control Area (with the exception of the Relations with Supervisors and Regulation units), whose functions include (i) designing and maintaining the the Group's Operational Risk management model, and to assess the degree of application in the scope of the different Areas; and (ii) define the General Framework for Mitigation, Control and Monitoring in its area of expertise and compare it with that implemented by the first line. Additionally, the Responsible Business Unit is in charge of reputational risk management, in coordination with the Group's internal control model in those cases in which it derives from operational events.
  • Third line of defence: performed by the Internal Audit Area, which: (i) carries out an independent review of the control model, verifying compliance and the effectiveness of the established general policies; and (ii) provides independent information on the control environment to the Corporate Assurance Committees.

The Board, with the support of its Committees, supervises the effectiveness of the internal control model through periodic reports from those responsible for the different lines of defence. In particular, the heads of the Internal Regulation and Control and Internal Audit areas report at least quarterly to the Board of Directors on the most relevant issues of their control activity; and, in addition, they report monthly to the Risk and Compliance Committee and the Audit Committee, respectively, and with a greater level of detail, on the operation of the internal control model and on the independent reviews carried out of the different Bank processes. All of this is based on the annual plans for each of these functions, which are approved by the respective Board Committees and where the review of processes related to climate change risk and other sustainability issues is expressly incorporated.

Parent-subsidiary risk relationship model

In accordance with the provisions of the BBVA Group's General Corporate Governance Policy, for integrated management and supervision in the Group, the Group has a common management and control framework, consisting of basic guidelines (including strategic-prospective decisions) and General Policies, established by BBVA's corporate bodies for the Group.

For the purpose of transferring the risk strategy and its management and control model to the different subsidiaries of the BBVA Group and their corresponding specific risk units, a parent-subsidiary relationship model has been designed within the scope of risk management and control in the BBVA Group.

This relationship model implies a minimum catalog of decisions that must be adopted by the corporate bodies of the subsidiaries in terms of risks in order to provide them with an adequate governance model coordinated with the parent company. It will be the responsibility of the head of the Risk function (GRM) of each subsidiary to formulate the proposals that proceed to the corresponding corporate body for its consideration and, where appropriate, approval, according to the scope of functions that apply.

The approval of these decisions by the corporate bodies of the subsidiaries obliges the risk units of the geographical areas to carry out a risk monitoring and control plan before their corporate bodies.

Notwithstanding the foregoing, it is considered necessary that certain decisions regarding risks reserved for the consideration of the corresponding corporate bodies of the subsidiary for their approval, are also subject to the approval of the corporate bodies of BBVA, in accordance with what is established regulations at all times.

In the specific case of BBVA, S.A., what is described in this document regarding the coordination of the local risk management function with the risk function of the parent company BBVA, S.A. is applicable (as in any subsidiary of the Group). And with regard to the decisions that the corporate bodies of the subsidiaries must adopt, in this case it is the responsibility of the head of the Risk function of BBVA, S.A. (GRM) formulate the proposals that proceed to the corresponding corporate body for its consideration and, where appropriate, approval, according to the scope of functions that apply.

Chief Risk Officer of the Group

The Group's Chief Risk Officer (CRO) is responsible for the management of all the financial risks of the Group with the necessary independence, authority, rank, experience, knowledge and resources. The CRO is appointed by the Board of Directors of BBVA and has direct access to its corporate bodies (Board of Directors, CDP and CRC), with the corresponding regular reporting on the risk situation in the Group.

The GRM area has a responsibility as the unit transversal to all the businesses of the BBVA Group. This responsibility is part of the structure of the BBVA Group, which is formed by subsidiaries based in different jurisdictions, which have autonomy and must comply with their local regulations, but always according to the risk management and control scheme designed by BBVA as the parent company of the BBVA Group.

The Chief Risk Officer of the BBVA Group is responsible for ensuring that the risks of BBVA Group, within the scope of its functions, are managed according to the established model, assuming, among other, the following responsibilities:

  • Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the risk strategy of the BBVA Group, which includes the Risk Appetite statement of the BBVA Group, core (and their respective statements) and by type of risk metrics, and the Model.
  • Ensure the necessary coordination to define and prepare the proposals for the Appetite Framework of the Group companies, and make sure they are applied correctly.
  • Define, in coordination with the rest of areas responsible for risks monitoring and control, and propose to corporate bodies the general policies for each type of risk within its scope of responsibility and, as part these, to establish the required specific regulation.
  • Prepare, in coordination with the rest of areas responsible for risks monitoring and control, and propose for approval, or approving if within its competence, the risk limits for the geographical areas, business areas and/or legal entities, which shall be consistent with the defined Risk Appetite Framework; it is also responsible for the monitoring, supervision and control of risk limits within its scope of responsibility.
  • Submit to the Risk and Compliance Committee the information required to carry out its supervisory and control functions.
  • Regular reporting to the corresponding corporate bodies on the situation of those risks of the BBVA Group within its scope of responsibility.
  • Identify and assess the material risks faced by the BBVA Group within its scope of responsibility, with an effective management of those risks and, where necessary, with the implementation of the required mitigation measures.
  • Early warning to the relevant corporate bodies and the Chief Executive Officer of any material risk within its scope of responsibility that could compromise the solvency of the BBVA Group.
  • Ensure, within its scope of responsibility, the integrity of measurement techniques and management information systems and, in general, the provision of models, tools, systems, structures and resources to implement the risk strategy defined by the corporate bodies.
  • Promote the risk culture of the BBVA Group to ensure the consistency of the Model in the different countries where it operates, strengthening the cross-cutting model of the risks function.

For decision-making, the Group’s Chief Risk Officer has a governance structure for the role that culminates in a support forum, the Global Risk Management Committee (GRMC), which is established as the main executive-level committee on the risks within its remit. Its purpose is to develop the strategies, policies, regulations and infrastructures needed to identify, assess, measure and manage the material risks within its remit that the Group faces in its business activity. This committee is composed by the Chief Risk Officer, who chairs the meetings, and the heads of the Corporate Area of the disciplines of GRM, the “Risk Strategy, Development & BEX”, “Strategy and Development”, “South America and Turkey”, and “Risk Internal Control”; and by the heads of GRM in the three most important geographical units and in CIB. The purpose of the GRMC is to propose and challenge, among other issues, the internal regulatory framework of GRM and the infrastructures required to identify, assess, measure and manage the risks faced by the Group in carrying out its businesses and to approve risk limits.

The GRMC carries out its functions assisted by various support committees which include:

  • Global Credit Risk Management Committee: It is responsible for analyzing and decision-making related to wholesale credit risk admission.
  • Wholesale Credit Risk Management Committee: It is responsible for analyzing and making decisions related to wholesale credit risk admission in specific customer segments of BBVA Group, as well as being informed of the relevant decisions adopted by members of the committee within their scope of decision-making at corporate level.
  • Work Out Committee: Its purpose is to analyze and make decisions regarding the admission of wholesale credit risks of customers classified in Watch List, doubtful risk or write-offs in accordance with the criteria established in the Group, as well as to be informed of the decisions adopted by the person in charge of the Work Out process in its area of responsibility; it will also include the approval of proposals on entries, exits and modifications in Watch List, entries and exits in doubtful, unlikely to pay and pass to write-offs; as well as the approval of other proposals that must be seen in this Committee according to the established thresholds and criteria.
  • Global Portfolio Management Committee: The executive authority responsible for managing the limits by asset class for credit risk, equities and real estate not for own use, structural risks, insurance and pension risk and asset management; and by business area and at group level established in the risk limits planning exercise, which aims to achieve an optimal combination and composition of portfolios under the restrictions imposed by the Risk Appetite Framework, which allows maximizing the risk- adjusted return on regulatory and economic capital when appropriate. Additionally, it takes into account the concentration and asset quality objectives of the portfolio, as well as the prospects and strategic needs of the the BBVA Group.
  • Risk Models Management Committee: It ensures an appropriate decision-making process regarding the planning, development, implementation, use, validation and monitoring of the models required to achieve an appropriate management of the Model Risk in the BBVA Group.
  • Risk Models Management Committee: It ensures an appropriate decision-making process regarding the planning, development, implementation, use, validation and monitoring of the models required to achieve an appropriate management of the Model Risk in the BBVA Group.
  • Global Market and Counterparty Risk Committee: its purpose is to formalize, supervise and communicate the trading risk monitoring in all Global Markets business units, as well as coordinating and approving the key decisions of the Market and Counterparty Risk activity. It is also responsible for the analysis and decision making (opinion on the risk profile of the proposal, the mitigants and the risk-return ratio) with respect to the most relevant transactions in the different geographies in which Global Markets is present.
  • Retail Credit Risk Committee: it ensures for the analysis, discussion and decision support on all issues regarding the retail credit risk management that impact or potentially do in the practices, processes and corporate metrics established in the General Policies, Rules and Operating Frameworks.


  • GRM Continuity Committee: this committee operates under the provisions of the Corporate Continuity Committee for the different Areas. Its purpose is to analyze and make decisions about exceptional crisis situations, with the aim of managing continuity and the restoration of critical GRM processes, minimizing the impact of its operations through the Continuity Plan, which covers crisis management and Recovery Plans.
  • The Corporate Committee for Admission of Operational Risk and Product Governance (CCAROyGP) aims to ensure the adequate evaluation of initiatives with significant operational risk (new business, product, outsourcing, process transformation, new systems, etc.) from the perspective of operational risk and approval of the proposed control environment.

Risk units of the corporate area and the business/geographical areas

The risks function is comprised of risk units from the corporate area, which carry out cross-cutting functions, and of risk units of the geographical/business areas.

  • The risk units of the corporate area develop and submit to the Group's Chief Risk Officer the different elements required to define the proposal for the Group's Risk Appetite Framework, the general policies, the regulation and global infrastructures within the operating framework approved by corporate bodies; they ensure their application and report directly or through the Group's Chief Risk Officer to the corporate bodies of BBVA. With regard to non-financial risks and reputational risk, which are entrusted to the Regulation & Internal Control and Communications areas respectively, the corporate units of GRM will coordinate, with the corresponding corporate units of those areas, the development of the elements that should be integrated into the Appetite Framework of the Group.
  • The risk units of the business and/or geographical areas develop and submit to the Chief Risk Officer of the geographical and/or business areas the Risk Appetite Framework proposal applicable in each geographical and/or business area, independently and always according to the Group's Risk Appetite Framework. In addition, they ensure the application of general policies and the rest of the internal regulations, with the necessary adaptations, when applicable, to local requirements, providing the appropriate infrastructures for risk management and control purposes, within the global risk infrastructure framework defined by the corporate areas, and reporting to the corresponding corporate bodies and senior management, as applicable. With regard to Non-financial risks, which are integrated in the Regulation & Internal Control area, the local risk units will coordinate, with the unit responsible for those risks, the development of the elements that should be integrated into the local Risk Appetite Framework.

Thus, the local risk units work with the risk units of the corporate area with the aim of adapting themselves to the risk strategy at Group level and pooling all the information required to monitor the evolution of their risks.

As previously mentioned, the risks function has a decision-making process supported by a structure of committees, and also a top-level committee, the GRMC, whose composition and functions are described in the section "Chief Risk Officer of the Group."

Each geographical and/or business area has its own risk management committee(s), with objectives and contents similar to those of the corporate area. These committees perform their duties consistently and in line with general risk policies and corporate rules, and its decisions are reflected in the corresponding minutes.

Under this organizational scheme, the risks function ensures the integration and application throughout the Group of the risk strategy, the regulatory framework, the infrastructures and standardized risk controls. It also benefits from the knowledge and proximity to customers in each geographical and/or business area, and conveys the corporate risk culture to the Group's different levels. Moreover, this organization enables the risks function to conduct and report to the corporate bodies an integrated monitoring and control of the risks of the entire Group.

Chief Risk Officers of geographical and/or business areas

The risks function is cross-cutting, i.e. it is present in all of the Group's geographical and/or business areas through specific risk units. Each of these units is headed by a Chief Risk Officer for the geographical and/or business area who, within the relevant scope of responsibility, carries out risk management and control functions and is responsible for applying the Model, the general policies and corporate rules approved at Group level in a consistent manner, adapting them if necessary to local requirements and with the subsequent reporting to local corporate bodies.

The Chief Risk Officers of the geographical and/or business areas have functional reporting to the Group's Chief Risk Officer and hierarchical reporting to the head of their geographical and/or business area. This dual reporting system aims to ensure the independence of the local risks function from the operational functions and enable its alignment with the Group's general policies and goals related to risks.

Risk Internal Control

The Group has a specific Risk Internal Control unit, within the Regulation & Internal Control area, that, among other tasks, independently challenges and control the regulation and governance structure in terms of financial risks and its implementation and deployment in GRM, in addition to the challenge of the development and implementation of financial risks control and management processes. It is also responsible for the validation of risk models.

For this purpose, it has 3 subunits: RIC-Processes, Risks Technical Secretariat and Risk Internal Validation.

  • RIC-Processes. It is responsible for challenging an appropriate development of the functions of GRM units, and for reviewing that the functioning of financial risk management and control processes is appropriate and in line with the corresponding regulation, identifying potential opportunities for improvement and contributing to the design of the action plans to be implemented by the responsible units. In addition, it is the Risk Control Specialist (RCS) in the Group's Internal Control Model and, therefore, establishes the general mitigation and control frameworks for its risk area and contrasts them with those actually implemented.
  • Risks Technical Secretariat. It is responsible for the definition, design and management of the principles, policies, criteria and processes through which the regulatory risk framework is developed, processed, reported and disclosed to the countries; and for the coordination, monitoring and assessment of its consistency and completeness. In addition, it coordinates the definition and structure of the most relevant GRM Committees, and monitors their proper functioning, in order to ensure that all risk decisions are taken through an adequate governance and structure, ensuring their traceability. It also provides to the CRC the technical support required in terms of financial risks for a better performance of its functions.
  • Risk Internal Validation. It is responsible for validating the risks models. In this regard, it effectively challenges the relevant models used to manage and control the risks faced by the Group, as an independent third party from those developing or using the models in order to ensure its accuracy, robustness and stability. This review process is not restricted to the approval process, or to the introduction of changes in the models; it is a plan to make a regular assessment of those models, with the subsequent issue of recommendations and actions to mitigate identified weaknesses.

The Head of Risk Internal Control of the Group is responsible for the function and reports about his activities and work plans to the Head of Regulation & Internal Control and to the CRC, with the corresponding support in the issues required, and, in particular, challenging that GRM's reports submitted to the Committee are aligned with the criteria established at the time.

In addition, the risk internal control function is global and transversal, it includes all types of financial risks and has specific units in all geographical and/or business areas, with functional reporting to the Head of Risk Internal Control of the Group.

The Risk Internal Control function must ensure compliance with the general risks strategy defined by the Board of Directors, with adequate proportionality and continuity. In order to comply with the control activity within its scope. Risk Internal Control is member of GRM's top-level committees (sometimes even assuming the Secretariat role), independently verifying the decisions that may be taken and, specifically, the decisions related to the definition and application of internal GRM regulation.

Furthermore, the control activity is developed within a homogeneous methodological framework at a Group level, covering the entire life cycle of financial risk management and carried out under a critical and analytical approach.

The Risk Internal Control team reports the results of its control function to the corresponding heads and teams, promoting the implementation of corrective measures and submitting these assessments and the resolution commitments in a transparent manner to the established levels.

Lastly, and notwithstanding the control responsibility that GRM teams have in the first instance, Risk Internal Control teams promote a control culture in GRM, conveying the importance of having robust processes.

4.1.2 Risk appetite framework

Elements and development

The Group's Risk Appetite Framework approved by the corporate bodies determines the risks and the risk level that the Group is willing to assume to achieve its business objectives considering the organic evolution of business. These are expressed in terms of solvency, liquidity and funding, and profitability, as well as recurrence of revenue, which are reviewed not only periodically but also if there are any substantial changes in the business strategy or relevant corporate transactions.

The Risk Appetite Framework is expressed through the following elements:

  • Risk appetite statement: sets out the general principles of the Group's risk strategy and the target risk profile:

    "The BBVA Group develops a multichannel and responsible universal banking business model, based on values, committed to sustainable development and centred on our customers' needs, focusing on operational excellence and the preservation of adequate security and business continuity.

    BBVA intends to achieve these goals while maintaining a moderate risk profile, so the risk model established aims at ensuring a robust financial position, facilitating its commitment with sustainability and obtaining a sound risk- adjusted profitability throughout the cycle, as the best way to face adverse environments without jeopardizing its strategies.

    BBVA Group's risk management is based on prudent management, and a comprehensive and prospective vision of all risks, to allow us to adapt to the disruptive risks inherent in the banking business. It includes the climate factor, a diversification of portfolios by geographies, asset classes and customer segments, prevention of money laundering and terrorist financing, and the maintenance of a long-term relationship with customers, supporting them in the transition to a sustainable future, to promote profitable growth and recurring generation of value."
  • Statements and core metrics: Statements are established, based on the risk appetite statement, specifying the general principles of risk management in terms of solvency, liquidity and funding, profitability and income recurrence. Moreover, the core metrics reflect, in quantitative terms, the principles and the target risk profile set out in the Risk Appetite statement. Each core metric has three thresholds ranging from usual management of the businesses to higher levels of impairment:
  • Management benchmark: a benchmark that determines a comfortable management level for the Group.
  • Maximum appetite: the maximum level of risk that the Group is willing to accept in its ordinary activity.
  • Maximum capacity: the maximum risk level that the Group could assume, which for some metrics is associated with regulatory requirements.
  • Metrics by type of risk: based on the core metrics and their thresholds, a number of metrics are determined for each type of risk, whose observance enables compliance with the core metrics and the Group's Risk Appetite statement. These metrics have a maximum risk appetite threshold.

In addition to this Framework, statements are established that include the general principles for each risk type, as well as a level of management limits that is defined and managed by the areas responsible for the management of each type of risk in order to ensure that the early management of risks complies with the established Risk Appetite Framework.

Each significant geographical area (that is, those representing more than 1% of the assets or operating income of the BBVA Group) has its own Risk Appetite framework, consisting of its local Risk Appetite statement, core statements and metrics, and metrics by type of risk, which must be consistent with those set at the Group level, but adapted to their own reality. These are approved by the corresponding corporate bodies of each entity. This Appetite Framework is supplemented by statements for each risk type and has a limit structure in line and consistent with the above.

The corporate risks area works with the various geographical and/or business areas to define their Risk Appetite Framework, so that it is coordinated with, and integrated into, the Group's Risk Appetite Framework, making sure that its profile is in line with the one defined. Moreover, and for the purposes of monitoring at local level, the Chief Risks Officer of the geographical and/or business area regularly reports on the evolution of the metrics of the Local Risk Appetite Framework to the corporate bodies, as well as to the relevant top-level local committees, following a scheme similar to that of the Group, in accordance with its own corporate governance systems.

Within the issuing process of the Risk Appetite Framework, Risk Internal Control carries out, within the scope of the GRM area the effective challenge of the Framework proposal prior to its escalation to corporate bodies, which is also documented, and it is extended to the approval of the management limits under which it is developed, also supervising its adequate approval and extension to the different entities of the Group. Likewise, in each significant geographical area, the local Risk Internal Control unit, working in the Risk Management Committee (hereinafter, RMC), carries out an effective challenge of the local Risk Appetite Framework prior to its escalation to local corporate bodies, which is also documented, and extended to the local approval process of the management limits.

Monitoring of the Risk Appetite Framework and management of breaches

So that corporate bodies can develop the risk functions of the Group, the heads of risks at an executive level will regularly report (more frequently in the case of the CRC, within its scope of responsibility) on the evolution of the metrics of the Risk Appetite Framework of the Group, with the sufficient granularity and detail, in order to check the degree of compliance of the risks strategy set out in the Risk Appetite Framework of the Group approved by the Board of Directors.

If, through the monitoring of the metrics and supervision of the Risk Appetite Framework by the executive areas, a relevant deviation or breach of the maximum appetite levels of the metrics is identified, that situation must be reported and, where applicable, the corresponding corrective measures must be submitted to the CRC.

After the relevant review by the CRC, the deviation must be reported to the CDP (as part of its role in the monitoring of the evolution of the risk profile of the Group) and to the Board of Directors, which will be responsible, when applicable, for implementing the corresponding executive measures, including the modification of any metric of the Risk Appetite Framework. For this purpose, the CRC will submit to the corresponding corporate bodies all the information received and the proposals prepared by the executive areas, together with its own analysis.

Notwithstanding the foregoing, once the information has been analyzed and the proposal of corrective measures has been reviewed by the CRC, the CDP may adopt, on grounds of urgency and under the terms established by law, measures corresponding the Board of Directors, but always reporting those measures to the Board of Directors in the first meeting held after the implementation for ratification purposes.

In any case, an appropriate monitoring process will be established (with a greater information frequency and granularity, if required) regarding the evolution of the breached or deviated metric, and the implementation of the corrective measures, until it has been completely redressed, with the corresponding reporting to corporate bodies, in accordance with its risks monitoring, supervision and control functions.

Integration of the Risk Appetite Framework into the management

The transfer of the Risk Appetite Framework to ordinary management is underpinned by three basic elements:

  • The existence of a standardized set of regulations: the corporate risks area defines and proposes the general policies within its scope of action, and develops the additional internal regulation required for the development of those policies and the operating frameworks on the basis of which risk decisions must be adopted within the Group. The approval of the general policies for all types of risks is a responsibility of the corporate bodies of BBVA, while the rest of regulation is defined at an executive level according to the framework of competences applicable at any given time. The Risks units of the geographical and/or business areas comply with this regulation and performing, where necessary, the relevant adaptation to local requirements, in order to have a decision-making process that is appropriate at local level and aligned with the Group's policies.
  • Risk planning, which ensures the integration into the management of the Risk Appetite Framework through a cascade process established to set limits adjusted to the target risk profile. The Risks units of the corporate area and of the geographical and/or business areas are responsible for ensuring the alignment of this process with the Group's Risk Appetite Framework in terms of solvency, liquidity and funding, profitability, and recurrence of earnings.
  • A comprehensive management of risks during their life cycle, based on differentiated treatment according to their type.

4.1.3 Assessment, monitoring and reporting

Assessment, monitoring and reporting is a cross-cutting function at Group level. This function ensures that the model has a dynamic and proactive vision to enable compliance with the Risk Appetite Framework approved by the Board of Directors, even in adverse scenarios.

This process is integrated in the activity of the Risk units, both of the corporate area and in the geographical and/or business units, together with the units specialized in non-financial risks and reputational risk within the Regulation & Internal Control and Communications business areas respectively, in order to generate a comprehensive and single view of the risk profile of the Group.

This process is developed through the following phases:

  • Monitoring of the identified risk factors that can compromise the performance of the Group or of the geographical and/or business areas in relation to the defined risk thresholds.
  • Assessment of the impact of the materialization of the risk factors on the metrics that define the Risk Appetite Framework based on different scenarios, including stress testing scenarios (EU-wide stress testing).
  • Response to unwanted situations and proposals for redressing measures to the corresponding levels, in order to enable a dynamic management of the situation, even before it takes place.
  • Monitoring the Group's risk profile and the identified risk factors, through internal, competitor and market indicators, among others, to anticipate their future development.
  • Reporting: complete and reliable information on the evolution of risks to corporate bodies and senior management, in accordance with the principles of accuracy, exhaustiveness, clarity and utility, frequency, and adequate distribution and confidentiality. The principle of transparency governs all the risk information reporting process.

4.1.4 Infrastructure

For the implementation of the Model, the Group has the resources required for an effective management and supervision of risks and for achieving its goals. In this regard, the Group's risks function:

  • Has the appropriate human resources in terms of number, ability, knowledge and experience. The profile of resources will evolve over time based on the specific needs of the GRM and Regulation & Internal Control areas, always with a high analytical and quantitative capacity as the main feature in the profile of those resources. Likewise, the corresponding units of the geographical and/or business areas have sufficient means from the resources, structures and tools perspective in order to achieve a risk management process aligned with the corporate model.
  • Develops the appropriate methodologies and models for the measurement and management of the different risk profiles, and the assessment of the capital required to take those risks.
  • Has the technological systems required to: support the Risk Appetite Framework in its broadest definition; calculate and measure the variables and specific data of the risk function; support risk management according to this Model; and provide an environment for storing and using the data required for risk management purposes and reporting to supervisory bodies.
  • Promotes adequate data governance, in accordance with the principles of governance, infrastructure, precision and integrity, completeness, promptness and adaptability, following the quality standards of the internal regulations referring to this matter.

Within the risk functions, both the profiles and the infrastructure and data shall have a global and consistent approach.

The human resources among the countries must be equivalent, within proportionality, ensuring a consistent operation of the risk function within the Group. However, they will be distinguished from those of the corporate area, as the latter will be more focused on the conceptualization of appetite frameworks, operating frameworks, the definition of the regulatory framework and the development of models, among other tasks.

As in the case of the human resources, technological platforms must be global, thus enabling the implementation of the Risk Appetite Framework and the standardized management of the risk life cycle in all countries.

The corporate area is responsible for deciding on the platforms and for defining the knowledge and roles of the human resources. It is also responsible for defining risk data governance.

The foregoing is reported to the corporate bodies of BBVA so they can ensure that the Group has the appropriate means, systems, structures and resources.

4.2 Credit risk

In addition to the significant macroeconomic challenges posed by the COVID-19 pandemic, the global economy is currently facing a number of exceptional challenges. Russia's invasion of Ukraine has caused significant disruption, instability and volatility in the world markets, as well as increased inflation (including contributing to further increases in oil, gas and other commodity prices and further affecting supply chains), and lower economic growth, which has additionally led to aggressive interest rate hikes by central banks that could affect the most leveraged companies, as well as strain the ability of individuals to pay.

In relation to the relief measures for customers affected by the pandemic, and in the second instance, affected by the economic effects derived from the war in Ukraine, in Spain and Peru, the possibility of carrying out extensions both in the maturity period as well as in the grace period in financing with public guarantees are still in force. In Spain, they can be requested by companies and self-employed from June 30, 2022, after the expiration of the Temporary State Aid Framework approved by the European Commission, and in Peru, the Decree was approved in May, with eligibility in this measure in place until June 30, 2023 after the extension of the initial period that ended on December 31, 2022. In addition, on November 23, 2022, Royal Decree-Law 19/2022, of November 22, was published. It amends the Code of Good Practices, establishes a new Code of Good Practices easing the interest rates hike on mortgage loans agreements related to primary residences, and provides for other structural measures aiming to improve the loan market. BBVA has adhered to the new Code of Good Practices with effect from January 1, 2023.

Regarding the direct exposure of the Group to Russia and Ukraine, this is limited for BBVA, although the Group has taken different measures aimed at reducing its impact, among which are the initial lowering of limits followed by the suspension of operations with Russia, the lowering of internal ratings and the inclusion of the country and its borrowers as impaired for subjective reasons.

However, the indirect risk is greater due to the activity of customers in the affected area or sectors. The economic effects are mainly shown through higher commodity prices, but also through financial and confidence channels, as well as a further deterioration of global supply chain issues.

Calculation of expected losses due to credit risk

In addition to the individualized and collective estimates of the expected losses and the macroeconomic estimates in accordance with what is described in IFRS 9, the estimate at the end of the quarter includes the effect on the expected losses of the macroeconomic forecasts' update, which considers the current global environment, which has been affected by the war in Ukraine, the evolution of interest rates, inflation rates or the prices of commodities.

Additionally, the Group can supplement the expected losses either by the consideration of additional risk drivers, the incorporation of sectorial particularities or that may affect a set of operations or borrowers, following a formal internal process established for the purpose.

During 2022, in the case of Spain, the expected losses of operations considered unlikely to pay were reviewed, adjusting, in the model, the severity of these transactions to align it with that of impaired loans, which resulted in the recording of an additional provision of €250 million in the income statement for the year 2022. Similarly, during 2021, for clients benefiting from the measures of RDL 6/2012, loss given default were reviewed, resulting in an adjustment whose remaining amount at the end of 2022 was €138 million, with no significant variation in year.

The complementary adjustments pending allocation to specific operations or clients as of December 31, 2022 totaled €302 million, of which €163 million correspond to Spain, €92 million to Mexico, €25 million to Peru, €11 million to Colombia, €5 million to Chile and €6 million to Rest of Business of the Group. In comparison, as of December 31, 2021, the complementary adjustments pending allocation to specific operations or clients amounted to €311 million, of which €226 million corresponded to Spain, €68 million to Mexico and €18 million euros to Peru. The variation in the year is due to, on the one hand, the revision or partial consumption of the adjustments that were deemed necessary in connection with payment deferrals, public guarantees or sectors most affected by the pandemic and, on the other hand, the additional losses amounting to €150 million relating to exposures to the corporate portfolios mainly of Spain, Mexico, Peru and Colombia (wholesale borrowers and small and medium enterprises) and Rest of Business of the Group, which could be more affected by the economic context of high inflation, interest rates or energy prices.

BBVA Group's credit risk indicators

The evolution of the Group’s main credit risk indicators is summarized below:

  • Credit risk declined by -1.0% (+2.6% at constant exchange rates) between October and December 2022, with an almost generalized growth, at constant exchange rates at Group level, although Spain was affected by the lower volume of corporate and investment banking operations.
  • Reduction in the balance of non-performing loans at Group level between October and December 2022 (-4.6% in current terms and -1.4% at constant rates), positively affected by a non-performing loan portfolio sale in Spain and the foreign exchange rates evolution. Compared to the end of December 2021, the amount of non-performing loans decreased by 6.3% (-6.6% at constant exchange rates).


General note: 2020 excludes BBVA USA and the rest of the companies in the United States sold to PNC on June 1, 2021.

  • The NPL ratio stood at 3.4% as of December 31, 2022, 13 basis points below the figure recorded in September 2022 and 70 basis points below the one of December 2021, with an improvement in this indicator in all business areas during the year.
  • Loan-loss provisions decreased by 6.4% compared to the figure of the third quarter (+2.0% with respect to December 2021), mainly due to the foreign exchange evolution, and affected by the Spain's portfolio sale.
  • The NPL coverage ratio stood at 81%, 156 basis points below the figure of September 2022 (664 basis points higher than at the end of 2021), mainly due to the evolution of the indicator in Spain, which includes the aforementioned impact of the portfolio sale.
  • The cumulative cost of risk as of December 31, 2022 stood at 0.91%, higher than at the end of the third quarter of 2022 but still 2 basis points below the close of 2021, due to higher loan-loss provisions in the quarter for the macroeconomic scenario deterioration in the main geographical areas, coverage increase in those sectors and portfolios most vulnerable to the current environment, and recurring flows on normal (pre-pandemic) level.



31-12-22 30-09-22 30-06-22 31-03-22 31-12-21
Credit risk 424,341 428,619 414,128 395,325 376,011
Non-performing loans 14,463 15,162 15,501 15,612 15,443
Provisions 11,764 12,570 12,159 11,851 11,536
NPL ratio (%) 3.4 3.5 3.7 3.9 4.1
NPL coverage ratio (%)(2) 81 83 78 76 75
  • (1) Includes gross loans and advances to customers plus guarantees given.
  • (2) The NPL coverage ratio includes the valuation adjustments for credit risk throughout the expected residual life in those financial instruments that have been acquired (mainly originating from the acquisition of Catalunya Banc, S.A.). If these valuation corrections had not been taken into account, the NPL coverage ratio would have stood at 80% as of December 31, 2022 and 73% as of December 31, 2021.


4Q22 (1) 3Q22 2Q22 1Q22 4Q21
Beginning balance 15,162 15,501 15,612 15,443 14,864
Entries 2,333 1,871 2,085 1,762 2,875
Recoveries (1,171) (1,595) (1,697) (1,280) (1,235)
Net variation 1,162 276 388 482 1,640
Write-offs (928) (683) (579) (581) (832)
Exchange rate differences and other (933) 67 80 269 (228)
Period-end balance 14,463 15,162 15,501 15,612 15,443
Memorandum item:
Non-performing loans 13,493 14,256 14,597 14,731 14,657
Non performing guarantees given 970 906 904 881 786
  • (1) Preliminary data.

4.3 Market risk

For further information, see Note 7.4 of the Consolidated Financial Statements.

4.4 Structural risks

Liquidity and funding

Liquidity and funding management at BBVA aims to finance the recurring growth of the banking business at suitable maturities and costs, using a wide range of instruments that provide access to a large number of alternative sources of financing. In this context, it is important to notice that, given the nature of BBVA's business, the funding of lending activity is fundamentally carried out through the use of stable customer funds.

Due to its subsidiary-based management model, BBVA is one of the few major European banks that follows the Multiple Point of Entry (MPE) resolution strategy: the parent company sets the liquidity policies, but the subsidiaries are self-sufficient and responsible for managing their own liquidity and funding (taking deposits or accessing the market with their own rating), without fund transfers or financing occurring between either the parent company and the subsidiaries or between the different subsidiaries. This strategy limits the spread of a liquidity crisis among the Group's different areas and ensures that the cost of liquidity and financing is correctly reflected in the price formation process.

The BBVA Group maintains a solid liquidity position in every geographical area in which it operates, with ratios well above the minimum required:

  • The BBVA Group's liquidity coverage ratio (LCR) remained comfortably above 100% throughout the year 2022, and stood at 159% as of December 31, 2022. For the calculation of this ratio, it is assumed that there is no transfer of liquidity among subsidiaries; i.e. no type of excess liquidity levels in foreign subsidiaries is being considered in the calculation of the consolidated ratio. When considering these excess liquidity levels, the BBVA Group's LCR would stand at 201%.
  • The net stable funding ratio (NSFR), defined as the result between the amount of stable funding available and the amount of stable funding required, demands banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet activities. This ratio should be at least 100% at all times. The BBVA Group's NSFR ratio, stood at 135% as of December 31, 2022.

The breakdown of these ratios in the main geographical areas in which the Group operates is shown below:


Eurozone (1) Mexico Turkey South America
LCR 186% 199% 185% All countries >100
NSFR 125% 143% 166% All countries >100
  • (1) BBVA, S.A. liquidity management perimeter: Spain + branches of the outside network.

One of the key elements in BBVA's Group liquidity and funding management is the maintenance of large high quality liquidity buffers in all the geographical areas. In this respect, the Group has maintained for the last 12 months an average volume of high quality liquid assets (HQLA) accounting to €140.3 billion, among which, 95% correspond to maximum quality assets (LCR Tier 1).

It should be noted that the war in Ukraine has not had a significant impact on the liquidity and financing situation of the BBVA Group units during the year 2022. In addition to the above, the most relevant aspects related to the main geographical areas are the following:

  • BBVA, S.A. has maintained a comfortable position with a large high-quality liquidity buffer. During the year 2022, commercial activity has generated liquidity due to the growth in customer deposits above that of lending activity, especially in the last quarter. In December, the Bank started to repay the TLTRO III program for an amount of €12 billion, corresponding to approximately one third of the total drawdown amount. BBVA's solid liquidity situation has allowed the Bank to bring forward a part of the maturities while maintaining, in any case, regulatory liquidity metrics well above the established minimums. At the same time, collateral generation activities have been carried out during the year with the issuance of mortgage and regional bonds to be retained for an amount of €2 billion and the creation of two new mortgage securitization funds, the first one for an amount of €12.4 billion, which groups the assets previously held in seven funds, generating an additional collateral of approximately €3 billion; and the second one for an amount of €1.4 billion.
  • In BBVA Mexico, commercial activity has drained liquidity during 2022, supported by the growth in lending activity, that exceeded the growth of customer funds. Despite this, BBVA Mexico continues to hold a comfortable liquidity position, which has contributed to a cost-efficient funding management in an environment of rising rates.
  • In Turkey, in the year 2022, the lending gap in local currency has been reduced, due to a greater growth in deposits than in loans. The lending gap in foreign currency has increased due to reductions in deposits as a result of the mechanism established to encourage Turkish lira deposits, partially offset by lower loans in foreign currency. Garanti BBVA continues to maintain a stable liquidity position with comfortable ratios. For its part, the Central Bank of Turkey has continued to implement measures in order to reduce the dollarization of the economy.
  • In South America, the liquidity situation remains adequate throughout the region. In Argentina, liquidity continues to increase in the system and in BBVA due to a higher growth in deposits than in loans in local currency. In BBVA Colombia, a greater growth in lending activity is shown, compared to the growth in funds, non-compromising the liquidity situation of the bank due to the increase in the collection of longer-term deposits. BBVA Peru maintains solid liquidity levels, thanks to the solid growth of deposits in an environment of reduced local currency lending due to the expiration of loans covered by COVID-19 programs. The recent political instability is not having material impacts in terms of liquidity.

The main wholesale financing transactions carried out by the companies of the BBVA Group are listed below:

In relation to BBVA, S.A., during the year 2022 the following issuances were made:

Type of issue Date of issue Nominal (millions) Currency Coupon Early redemption Maturity date
Senior non-preferred Jan-22 1,000 EUR 0.875% Jan-28 Jan-29
Senior preferred May-22 1,250 EUR 1.750% Nov-25
Senior preferred May-22 500 EUR Euribor 3M + 1% Nov-25
Senior preferred May-22 100 EUR 1.000% May-24
Senior preferred Jul-22 865 EUR Euribor 3M + 0.7% Jul-24
Senior non-preferred Sep-22 1,000 USD 5.862% Sep-25 Sep-26
Senior non-preferred Sep-22 750 USD 6.138% Sep-27 Sep-28
Senior preferred Sep-22 1,250 EUR 3.375% Sep-27
Senior preferred (green bond) Oct-22 1,250 EUR 4.375% Oct-29
Seniorpreferred Oct-22 100 EUR 4.250% Oct-34
Senior preferred (green bond) Nov-22 215 CHF 2.408% Nov-25
Senior preferred (green bond) Nov-22 210 CHF 2.770% Nov-28

Additionally, in May 2022, the preferred shares eventually convertible into common shares of BBVA (CoCos) issued by BBVA in May 2017 were redeemed early. In June 2022, a securitization of loans for the financing of vehicles was completed for an amount of €1,200m.

In January 2023 BBVA carried out two public bond issuance operations: a senior non-preferred bond for €1,000m with a term of 8 years and an early redemption option in the 7th year at 4.625% and a €1,500m mortgage bond with a term of 4 and a half years at 3.125%.

For its part, on June 21, BBVA Mexico issued a sustainable bond for 10 billion Mexican pesos (€480m, approximately), thus becoming the first private bank to carry out an issue of this type in Mexico, using the TIIE (Balanced Interbank Interest Rate used in Mexico) rate as benchmark.

Garanti BBVA renewed, on June 7, 100% of a syndicated loan indexed to environmental, social and corporate governance (ESG) criteria that consists of two separate tranches of USD 283.5m and €290.5m, both with a maturity of one year. On December 5, Garanti BBVA renewed the second part of a syndicated loan (USD 155m and €239m) with a ratio of 65% according to its strategy and in line with the banks of the peer group. The price was higher than the previous tranche due to market risk (E+400; SOFR 425). Garanti BBVA also provided sustainable funding of USD 75m in 2022.

Lastly, BBVA Colombia closed a financing with the International Finance Corporation (IFC) in November for USD 60m for a 3-year term. This operation joins the USD 200m for a 5-year term signed in June and the USD 40m for a 3-year term signed in September. The use of funds is applied to boost the financing and construction of energy-sustainable buildings and reduce CO2 emissions, among others.

Foreign exchange

Foreign exchange risk management aims to reduce both the sensitivity of the capital ratios and the net attributable profit variability to currency fluctuations.

In relation to the hedging of the capital ratios, BBVA covers, in aggregate, 70% of its subsidiaries capital excess. The sensitivity of the Group's CET1 fully-loaded ratio to 10% depreciations in major currencies is estimated at: +19 basis points for the U.S. dollar, -5 basis points for the Mexican peso and -5 basis points for the Turkish lira. With regard to the hedging of results, BBVA hedges between 40% and 50% of the aggregate net attributable profit it expects to generate in the next 12 months. For each currency, the final amount hedged depends on its expected future evolution, the costs and the relevance of the incomes related to the Group's results as a whole.

Interest rate

Interest rate risk management seeks to limit the impact that BBVA may suffer, both in terms of net interest income (short-term) and economic value (long-term), from adverse movements in the interest rate curves in the various currencies in which the Group operates. BBVA carries out this work through an internal procedure, pursuant to the guidelines established by the European Banking Authority (EBA), in order to analyze the potential impact that could derive from a range of scenarios on the Group's different balance sheets.

The model is based on assumptions intended to realistically mimic the behavior of the balance sheet. Of particular relevance are assumptions regarding the behavior of accounts with no explicit maturity and prepayment estimates. These assumptions are reviewed and adapted at least once a year to take into account any changes in observed behavior.

At the aggregate level, BBVA continues to maintain a moderate risk profile, in accordance with the established objective, showing positive sensitivity toward interest rate increases in the net interest income.

Regarding relevant events in financial markets, the ECB, with the aim of curbing inflation, began the process of raising interest rates in July 2022, with a 250 basis points increase in the year. For its part, the FED accumulates 425 basis points increase in 2022. Although, additional increases are expected in 2023 (such as the rise in the Fed's 0.25 basis points and the ECB's 0.5 basis points, announced on February 1 and February 2, 2023, respectively), since inflation remains at high levels. Regarding fixed-income markets, the valuations were affected by the strong general increase of the interest rates and the widening of risk premiums, in line with the inflation estimation, which is expected to continue above the reference levels. The Spanish and Italian debt spreads deteriorate with widening compared to the German curve, especially in Italy. With regard to Mexico and South America, similar flattening moves to those of the United States, continuing with the rate hikes cycle. For its part, Turkey has set the monetary policy rate at 9.0%, making successive cuts of 500 basis points between August and November of 2022.

By area, the main features are:

  • Spain has a balance sheet characterized by a high proportion of variable-rate loans (mortgages and corporate lending) and liabilities composed mainly by customer demand deposits. The ALCO portfolio acts as a management lever and hedging for the balance sheet, mitigating its sensitivity to interest rate fluctuations. The balance sheet interest rate risk profile remained stable during the year, with Spain as the franchise with the highest positive sensitivity to rates in the Group.

    On the other hand, as mentioned, at the end of December 2022 the ECB set the benchmark interest rate at 2.5%, held the marginal deposit facility rate at 2.0% and the marginal loan facility rate at 2.75%. Thus, the European benchmark interest rates (Euribor) showed significant increases in the year. In this regard, customer spread is starting to benefit from interest rate hikes, expected to continue in the coming quarters.
  • Mexico continues to show a balance between fixed and variable interest rates balances, which represents a limited sensitivity to interest rates fluctuations. In terms of assets that are most sensitive to interest rate fluctuations, the commercial portfolio stands out, while consumer loans and mortgages are mostly at a fixed rate. With regard to the customer funds, the high proportion of non-interest bearing deposits should be highlighted, which are insensitive to interest rate movements. The ALCO portfolio is invested primarily in fixed-rate sovereign bonds with limited maturities. The monetary policy rate stands at 10,50%, 500 basis points above the end-of-year level of 2021. Regarding client spread, there has been improvement so far in 2022, favored by both the contained cost of deposits and the positive evolution of yield on loan.
  • In Turkey, the sensitivity of loans, which are mostly fixed-rate but with relatively short maturities, and the ALCO portfolio balance the sensitivity of deposits on the liability side. The interest rate risk is thus limited, both in Turkish lira and in foreign currencies. However, the economic value risk increases in 2022 mainly due to the compulsory purchases of bonds required by the local supervisor. Customer spread improved in 2022 due to the lower cost of deposits.
  • In South America, the interest rate risk profile remains low as most countries in the area have a fixed/variable composition and maturities that are very similar for assets and liabilities, with limited net interest income sensitivity. In addition, in balance sheets with several currencies, interest rate risk is managed for each of the currencies, showing a very low level of risk. Regarding the benchmark rates of the central banks of Peru and Colombia, they rose the interest rates by 500 and 900 basis points, respectively, in 2022. Customer spreads improved in Peru, impacted by an interest rates hikes environment, while falling in Colombia, affected by the highest increase in the cost of deposits derived from a faster liabilities repricing than assets repricing as a result of a sharp interest rates hikes.


31-12-22 30-09-22 30-06-22 31-03-22 31-12-21 30-09-21 30-06-21 31-03-21
Official ECB rate 2.50 1.25 0.00 0.00 0.00 0.00 0.00 0.00
Euribor 3 months (1) 2.06 1.01 (0.24) (0.50) (0.58) (0.55) (0.54) (0.54)
Euribor 1 year (1) 3.02 2.23 0.85 (0.24) (0.50) (0.49) (0.48) (0.49)
USA Federal rates 4.50 3.25 1.75 0.50 0.25 0.25 0.25 0.25
TIIE (México) 10.50 9.25 7.75 6.50 5.50 4.75 4.25 4.00
CBRT (Turquía) 9.00 12.00 14.00 14.00 14.00 18.00 19.00 19.00

(1) Calculated as the month average.

4.5 Risks associated with climate change

The risks related to climate change are considered as an additional factor which affects the risk categories already identified and defined in the BBVA Group and are therefore managed through the Groups risk management frameworks (credit, market, liquidity, operational and other non-financial risks). As a consequence, the BBVA Group’s climate change risk-related is based on their incorporation into the currently processes and governance established, considering the regulation and supervisory trends.

The information on the management of risks associated with climate change required by Law 7/2021, of May 20, on climate change and energy transition, is described in the section “Index of contents of Law 07/2021” of the Chapter “Other information” of this report.

4.6 Operational Risk

BBVA defines operational risk (“OR”) as any risk that could result in losses caused by human error; inadequate or flawed internal processes; undue conduct with respect to customers, markets or the institution; antimoney laundering and financing of terrorist activities; failures, interruptions or flaws in systems or communications; theft, loss or wrong use of information, as well as deterioration of its quality, internal or external fraud, including in any case those derived from cyberattacks; theft or harm to assets or persons; legal risks; risks derived from staff management and labor health; and defective service provided by suppliers; as well as damages from extreme climate events, pandemics and other natural disasters.

Operational risk management is oriented towards the identification of the root causes to avoid their occurrence and mitigate possible consequences. This is carried out through the establishment of control framework and monitoring and the development of mitigation plans aimed at minimizing resulting economic and reputational losses and their impact on the recurrent generation of results, and contributing the increase the quality, safety and availability of the provided service. Operational risk management is integrated into the global risk management structure of the BBVA Group.

This section addresses general aspects of operational risk management as the main component of non-financial risks. However, sections devoted to conduct and compliance risk and to cybersecurity risk management are also included in the non-financial information report.

Operational risk management principles

The BBVA Group is committed to preferably applying advanced operational risk management models, regardless of the capital calculation regulatory model applicable at the time. Operational risk management at the BBVA Group shall:

  • Be aligned with the Risk Appetite Framework ratified by the BBVA Board of Directors.
  • Address BBVA's management needs in terms of compliance with legislation, regulations and industry standards, as well as the decisions or positioning of BBVA's corporate bodies.
  • Anticipate the potential operational risk to which the Group may be exposed as a result of the creation or modification of products, activities, processes or systems, as well as decisions regarding the outsourcing or hiring of services, and establish mechanisms to assess and mitigate risk to a reasonable extent prior to implementation, as well as review the same on a regular basis.
  • Establish methodologies and procedures to enable regular reassessment of the significant operational risk to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, once the identified risk and the cost of mitigation (cost/benefit analysis) have been considered, while safeguarding the Group's solvency at all times.
  • Promote the implementation of mechanisms that support careful monitoring of all sources of operational risk and the effectiveness of mitigation and control environments, fostering proactive risk management.
  • Examine the causes of any operational events suffered by the Group and establish means to prevent the same, provided that the cost/benefit analysis so recommends. To this end, there are procedures in place to evaluate operational events and mechanisms that allow recording the operational losses that may be caused by the same.
  • Evaluate key public events that have generated operational risk losses at other institutions in the financial sector and support, where appropriate, the implementation of measures as required to prevent them from occurring at the Group.
  • Identify, analyze and attempt to quantify events with a low probability of occurrence and a high impact, which by their exceptional nature may not be included in the loss database; or if they are, feature with impacts that are not very representative for the purpose of valuing possible mitigation measures.
  • Have an effective system of governance in place, where the functions and responsibilities of the corporate areas and bodies involved in operational risk management are clearly defined.
  • Operational risk management must be performed in coordination with management of other risk, taking into consideration credit or market events that may have an operational origin.

Operational risk control and management model

The operational risk management cycle at BBVA is similar to the one implemented for the rest of risks. Its elements are:

Operational risk management parameters

Operational risk forms part of the risk appetite framework of the Group and includes three types of metrics and limits:

  • Economic capital calculated with the operational losses database of the Group, considering the corresponding diversification effects and the additional estimation of potential and emerging risks through stress scenarios designed for the main types of risks. The economic capital is regularly calculated for the main banks of the Group and simulation capabilities are available to anticipate the impact of changes on the risk profile or new potential events.
  • ORI metrics (Operational Risk Indicator: operational risk losses vs. gross income) broken down by geography.
  • Indicators by risk type: a more granular common scheme of metrics (indicators and limits) covering the main types of operational risk is being implemented throughout the Group. These metrics make it possible to intensify the anticipatory management of risk and objectify the appetite to different sources. These indicators are regularly reviewed and adjusted to fix the main risks in force at any time.

Operational risk admission

The main purposes of the operational risk admission phase are the following:

  • To anticipate potential operational risk to which the Group may be exposed due to the release of new, or modification of businesses, products, activities, processes or systems or in relations with third parties (e.g. outsourcing).
  • To ensure that implementation and the roll out of initiatives is only performed once appropriate mitigation measures have been taken in each case, including external assurance of risks where deemed appropriate.

The Corporate Non-Financial Risk Management Policy sets out the specific operational risk admission framework through different Operational Risk Admission and Product Governance Committees, both at a corporate and Business Area level, that follow a delegation structure based on the risk level of proposed initiatives.

Operational risk monitoring

The purpose of this phase is to check that the target operational risk profile of the Group is within the authorized limits. Operational risk monitoring considers 2 scopes:

  • Monitoring the operational risk admission process, oriented towards checking that accepted risks levels are within the limits and that defined controls are effective.
  • Monitoring the operational risk "stock" mainly associated with processes. This is done by carrying out a periodic re-evaluation in order to generate and maintain an updated map of the relevant operational risks in each Area, and evaluate the adequacy of the monitoring and mitigation environment for said risks. This promotes the implementation of action plans to redirect the weaknesses detected.

This process is supported by a corporate Governance, Risk & Compliance tool that monitors the operational risk at a local level and its aggregation at a corporate level.

In addition, and in line with the best practices and recommendations provided by the Bank for International Settlements (hereinafter, BIS), BBVA has procedures to collect the operational losses occurred both in the different entities of the Group and in other financial groups, with the appropriate level of detail to carry out an effective analysis that provides useful information for management purposes and to contrast the consistency of the Group's operational risks map. To that end, a corporate tool of the Group is used.

The Group ensures continuous monitoring by each Area of the due functioning and effectiveness of the control environment, taking into consideration management indicators established for the Area, any events and losses that have occurred, as well as the results of actions taken by the second line of defense, the internal audit unit, supervisors or external auditors.

Operational risk mitigation

The Group promotes the proactive mitigation of the non-financial risks to which it is exposed and which are identified in the monitoring activities.

In order to rollout common monitoring and anticipated mitigation practices throughout the Group, several cross-sectional plans are being promoted related to focuses from events, lived by the Group or by the industry, self-assessments and recommendations from auditors and supervisors in different geographies, thereby analyzing the best practices at these levels and fostering comprehensive action plans to strengthen and standardize the control environment.

Assurance of operational risk

Assurance is one of the possible options for managing the operational risk to which the Group is exposed, and mainly has two potential purposes:

  • Coverage of extreme situations linked to recurrent events that are difficult to mitigate or can only be partially mitigated by other means.
  • Coverage of non-recurrent events that could have significant financial impact, if they occurred.

The Group has a general framework that regulates this area, and allows systematizing risk assurance decisions, aligning insurance coverage with the risks to which the Group is exposed and reinforcing governance in the decision-making process of arranging insurance policies.

Operational risk control model

BBVA Group's operational risk governance model is based on two components:

  • Three-line defense control model, in line with industry best practices, and which guarantees compliance with the most advanced operational risk internal control standards.
  • Scheme of Corporate Assurance Committees and Internal Control and Operational Risk Committees at the level of the different business and support areas.

Corporate Assurance establishes a structure of committees, both at local and corporate level, to provide senior management with a comprehensive and homogeneous vision of the main non-financial risks and significant situations of the control environment.

Each geographical area has a Corporate Assurance Committee chaired by the Country Manager and whose main functions are:

  • Facilitate agile and anticipatory decision-making for the mitigation or assumption of the main risks.
  • Monitoring the changes in the non-financial risks and their alignment with the defined strategies and policies and the risk appetite.
  • Analyzing and assessing controls and measures established to mitigate the impact of the risks identified, should they materialize.
  • Making decisions about the proposals for risk taking that are conveyed by the working groups or that arise in the Committee itself
  • Promoting transparency by promoting the proactive participation of the three lines of defense in discharging their responsibilities and the rest of the organization in this area

At the holding level there is a Global Corporate Assurance Committee, chaired by the Group's Chief Executive Officer. Its main functions are similar to those already described but applicable to the most important issues that are escalated from the geographies and the holding company areas.

The business and support areas have an Internal Control and Operational Risk Committee, whose purpose is to ensure the due implementation of the operational risk management model within its scope of action and drive active management of such risk, taking mitigation decisions when control weaknesses are identified and monitoring the same.

Additionally, the Non-Financial Risk unit periodically reports the status of the management of non-financial risks in the Group to the Board's Risk and Compliance Committee.

4.7 Reputational risk

Reputational risk assessment of the activity in progress

Since 2016, BBVA disposes of a reputational risk assessment methodology. Through this methodology, the Bank defines and reviews regularly a map in which it prioritizes the reputational risks which have to be faced and the set of action plans to mitigate them. The prioritization is done based on two variables: the impact on the perception of the stakeholders and the strength of BBVA facing the risk.

This exercise is performed annually in all countries where the Group has bank entities. As a result of the assessment carried out in 2021, in 2022, 29 mitigation action plans were identified. The 17 plans identified in 2021 as a result of the evaluation of the 2021 financial year have already been concluded.

Reputational risk in new initiatives

The Reputation teams collaborate, together with the rest of the members of BBVA’s second defense line, in the different Committees of Admission of the Operational Risk, both at Group and the different geographical areas level. Those Committees perform the initial identification of potential reputational risks and mitigation controls are proposed.

Reporting of the Reputational risk

The results of the annual assessment of the Reputational Risk are reported in each geographical area at the appropriate governance level. At Group level, these results are reported to the Global Corporate Assurance Committee and, since 2020, to the Board’s Executive Committee.

4.8 Risk factors

The BBVA Group has processes in place for identifying risks and analyzing scenarios in order to enable the Group to manage risks in a dynamic and proactive way.

The risk identification processes are forward looking to seek the identification of emerging risks and take into account the concerns of both the business areas, which are close to the reality of the different geographical areas, and the corporate areas and senior management.

Risks are identified and measured consistently using the methodologies deemed appropriate in each case. Their measurement includes the design and application of scenario analyses and stress testing and considers the controls to which the risks are subjected.

As part of this process, a forward projection of the Risk Appetite Framework (hereinafter "RAF") variables in stress scenarios is conducted in order to identify possible deviations from the established thresholds. If any such deviations are detected, appropriate measures are taken to keep the variables within the target risk profile.

In this context, there are a number of emerging risks that could affect the evolution of the Group’s business, including the below:

Macroeconomic and geopolitical risks

The Group is sensitive to the deterioration of economic conditions or the alteration of the institutional environment of the countries in which it operates, and especially Spain, Mexico and Turkey. Additionally, the Group is exposed to sovereign debt, especially in these areas. Furthermore, the Group has recently increased its shareholding stake in Türkiye Garanti Bankası A.Ş. (Garanti BBVA) in an additional 36.12% (reaching 85.97%) as a result of the voluntary takeover bid for the shares of Garanti BBVA not already owned by BBVA announced in November 2021.

In addition to the significant macroeconomic problems triggered by the COVID-19 pandemic, the global economy is currently facing a number of extraordinary challenges. Russia’s invasion of Ukraine, the largest military attack on a European state since World War II, has led to significant disruption, instability and volatility in global markets, as well as higher inflation (including by contributing to further increases in the prices of oil, gas and other commodities and further disrupting supply chains) and lower economic growth. The European Union, the United States and other governments have imposed significant sanctions and export controls against Russia and Russian interests and additional sanctions and controls cannot be ruled out.

The conflict has represented a significant supply shock for the global economy, which has hampered economic growth and added to the inflationary pressures, mainly in European countries, due to their relatively significant economic ties with Ukraine and Russia. The economic effects are being felt mainly through the higher commodity prices, mainly of energy commodities, despite their moderation over the last few months in 2022. While the Group’s direct exposure to Ukraine and Russia is limited, the war could adversely affect the Group’s business, financial condition and results of operations. Geopolitical and economic risks have also increased lately as a result of trade tensions between the United States and China, Brexit and the rise of populism, among others. Growing tensions may lead, among others things, to a deglobalization of the world economy, an increase in protectionism, a general reduction of international trade in goods and services and a reduction in the integration of financial markets, any of which could materially and adversely affect the Group’s business, financial condition and results of operations.

Moreover, the world economy could be vulnerable to other factors such as the aggressive interest rate hikes by central banks due to growing and widespread inflationary pressures, which could cause a significant growth slowdown - and, even, a sharp economic recession - as well as financial crises. The central banks of many developed and emerging economies have significantly augmented policy rates over the last year and the process of tightening monetary conditions is likely to continue going forward in many economies. The United States Federal Reserve (FED) and the European Central Bank have raised policy interest rates respectively by 425 and 250 basis points throughout 2022 and further adjustments are expected to be announced in the coming months (such as the rise in the Fed's 0.25 basis points and the ECB's 0.5 basis points, announced on February 1 and February 2, 2023, respectively), taking them up to around 5.0% in the first case and 3.75% in the case of the interest rates for refinancing operations in the Eurozone. The Group’ s results of operations have been affected by the increases in interest rates adopted by central banks in an attempt to tame inflation, contributing to the rise in funding costs. Further, increases in interest rates could adversely affect the Group by reducing the demand for credit, limiting its ability to generate credit for its clients and leading to an increase in the default rate of its counterparties.

Another risk is a sharp slowdown in the global GDP growth caused by a deceleration in the Chinese economy, due to the disruptions generated by the coronavirus infections following the flexibilization of the COVID-19 policies or other factors, such as the imbalances on real estate markets.

The Group bears, among others, the following general risks with respect to the economic and institutional environment in which it operates: a deterioration in economic activity in the countries in which it operates, including recession scenarios; more persistent inflationary pressures, which could trigger a more severe tightening of monetary conditions; stagflation due to more intense or prolonged supply crises; changes in exchange rates; an unfavorable evolution of the real estate market; very high oil and gas prices could have a negative impact on disposable income levels in areas that are net energy importers, such as Spain or Turkey, to which the Group is particularly exposed; changes in the institutional environment of the countries in which the Group operates could give rise to sudden and sharp drops in GDP and/or changes in regulatory or government policy, including in terms of exchange controls and restrictions on the distribution of dividends or the imposition of new taxes or charges; a growth in the public debt or in the external deficit could lead to a downward revision of the credit ratings of the sovereign debt and even a possible default or restructuring of said debt; and episodes of volatility in the markets, which could cause the Group significant losses.

Any of these factors may have a significant adverse impact on the Group's business, financial condition and results of operations.

Risks relating to the political, economic and social conditions in Turkey

In May 2022, the Group increased its shareholding stake in Garanti BBVA (Turkey) from 49.85% to 85.97% following the completion of a voluntary takeover bid (see Note 3).

Turkey has, from time to time, experienced volatile political, economic and social conditions. As of the date of the approval of these Consolidated Financial Statements, Turkey is facing an economic crisis characterized by strong depreciation of the Turkish lira, high inflation (the Turkish Statistical Institute, TUIK, established the inflation rate at 64.3% for the twelve months ended December 31, 2022; see Note 2.2.19 for information on the impact of the application of IAS 29), a soaring trade deficit, depletion of the central bank’s foreign reserves and rising external financing costs. Continuing unfavorable economic conditions in Turkey, such as the elevated inflation and devaluation of the Turkish lira, may result in a potential deterioration in the purchasing power and creditworthiness of our clients (both individual and corporate).

Additionally, certain ongoing geopolitical and domestic political factors, referred to in this section, as well as continuing regional conflicts (such as in Syria, Armenia/Azerbaijan), may pose further strain on the country’s economy.

There can be no assurance that these and other factors will not have an impact on Turkey and will not cause further deterioration of the Turkish economy, which may have a material adverse effect on the Turkish banking sector and the Group’s business, financial condition and results of operations in Turkey.

Risks associated with pandemics such as the COVID-19

The COVID-19 (coronavirus) pandemic has adversely affected the world economy, and economic activity and conditions in the countries in which the Group operates. Among other challenges, these countries have had to deal with supply disruptions and increasing inflationary pressures, while public debt has increased significantly due to the support and spending measures implemented by the government authorities. Furthermore, there has been an increase in loan losses from both companies and individuals, which has been slowed down by the impact of government support measures, including bank payment deferrals, credit with public guarantee and direct aid measures. With the outbreak of COVID-19, the Group experienced a decline in its activity. For example, the granting of new loans to individuals decreased during lockdowns. In addition, in several countries, including Spain, the Group closed a significant number of its branches and reduced the opening hours of working with the public, with central services teams having to work remotely. Furthermore, the Group has been affected by the measures or recommendations adopted by regulatory authorities in the banking sector, such as variations in reference interest rates, the modification of prudential requirements, the temporary suspension of dividend payments, changes to the terms of payment deferrals and the granting of guarantees or public guarantees for credit granted to companies and self-employed persons, the adoption of further similar measures or the modification or termination of those already approved, as well as changes in the financial assets purchase programs by the ECB.

Furthermore, pandemics like the COVID-19 pandemic could adversely affect the business and transactions of third parties that provide critical services to the Group and, in particular, the higher demand and/or the lower availability of certain resources, compounded by ongoing supply bottlenecks could, in some cases, make it more difficult for the Group to maintain the required service levels.

Further, pandemics such as the COVID-19 pandemic may exacerbate other risks disclosed in this section, including but not limited to risks associated with the credit quality of the Group’s borrowers and counterparties or collateral, any withdrawal of ECB funding, the Group’s exposure to sovereign debt and rating downgrades, the Group’s ability to comply with its regulatory requirements, including MREL (Minimum Requirement for Own Funds and Eligible Liabilities) and other capital requirements, and the deterioration of economic conditions or changes in the institutional environment.

Regulatory and reputational risks

Financial institutions are exposed to a complex and ever-changing regulatory environment defined by governments and regulators. Regulatory activity in recent years has affected multiple areas, including changes in accounting standards; strict regulation of capital, liquidity and remuneration; bank charges (such as the new tax for banks recently approved in Spain, see Note 19.6) and taxes on financial transactions; regulations affecting mortgages, banking products and consumers and users; recovery and resolution measures; stress tests; prevention of money laundering and terrorist financing; market abuse; conduct in the financial markets; anti-corruption; and requirements as to the periodic publication of information. Governments, regulatory authorities and other institutions continually make proposals to strengthen the resistance of financial institutions to future crises. Further, there is an increasing focus on the climate-related financial risk management capabilities of banks. Any change in the Group’s business that is necessary to comply with any particular regulations at any given time, especially in Spain, Mexico or Turkey, could lead to a considerable loss of income, limit the Group’s ability to identify business opportunities, affect the valuation of its assets, force the Group to increase its prices and, therefore, reduce the demand for its products, impose additional costs on the Group or otherwise adversely affect its business, financial condition and results of operations.

The financial sector is under ever closer scrutiny by regulators, governments and society itself. In the course of activities, situations which might cause relevant reputational damage to the Group could arise and might affect the regular course of business.

Business, operational and legal risks

New technologies and forms of customer relationships: Developments in the digital world and in information technologies pose significant challenges for financial institutions, entailing threats (new competitors, disintermediation, etc.) but also opportunities (new framework of relations with customers, greater ability to adapt to their needs, new products and distribution channels, etc.). Digital transformation is a priority for the Group as it aims to lead digital banking of the future as one of its objectives.

Technological risks and security breaches: The Group is exposed to new threats such as cyber-attacks, theft of internal and customer databases, fraud in payment systems, etc. that require major investments in security from both the technological and human point of view. The Group gives great importance to the active operational and technological risk management and control. Any attack, failure or deficiency in the Group’s systems could, among other things, lead to the misappropriation of funds of the Group’s clients or the Group itself and the unauthorized disclosure, destruction or use of confidential information, as well as prevent the normal operation of the Group and impair its ability to provide services and carry out its internal management. In addition, any attack, failure or deficiency could result in the loss of customers and business opportunities, damage to computers and systems, violation of regulations regarding data protection and/or other regulations, exposure to litigation, fines, sanctions or interventions, loss of confidence in the Group’ s security measures, damage to its reputation, reimbursements and compensation, and additional regulatory compliance expenses and could have a significant adverse impact on the Group’ s business, financial condition and results of operations.

Regarding legal risks, the financial sector faces an environment of increasing regulatory and litigious pressure, and thus, the various Group entities are frequently party to individual or collective judicial proceedings (including class actions) resulting from their activity and operations, as well as arbitration proceedings. The Group is also party to government procedures and investigations, such as those carried out by the antitrust authorities in certain countries which, among other things, have in the past and could in the future result in sanctions, as well as lead to claims by customers and others. In addition, the regulatory framework in the jurisdictions in which the Group operates is evolving towards a supervisory approach more focused on the opening of sanctioning proceedings while some regulators are focusing their attention on consumer protection and behavioral risk.

In Spain and in other jurisdictions where the Group operates, legal and regulatory actions and proceedings against financial institutions, prompted in part by certain judgments in favor of consumers handed down by national and supranational courts (with regards to matters such as credit cards and mortgage loans), have increased significantly in recent years and this trend could continue in the future. The legal and regulatory actions and proceedings faced by other financial institutions in relation to these and other matters, especially if such actions or proceedings result in favorable resolutions for the consumer, could also adversely affect the Group.

All of the above may result in a significant increase in operating and compliance costs or even a reduction of revenues, and it is possible that an adverse outcome in any proceedings (depending on the amount thereof, the penalties imposed or the procedural or management costs for the Group) could damage the Group's reputation, generate a knock-on effect or otherwise adversely affect the Group.

It is difficult to predict the outcome of legal and regulatory actions and proceedings, both those to which the Group is currently exposed and those that may arise in the future, including actions and proceedings relating to former Group subsidiaries or in respect of which the Group may have indemnification obligations. Any of such outcomes could be significantly adverse to the Group. In addition, a decision in any matter, whether against the Group or against another credit entity facing similar claims as those faced by the Group, could give rise to other claims against the Group. In addition, these actions and proceedings attract resources from the Group and may occupy a great deal of attention on part of the Group's management and employees.

As of December 31, 2022, the Group had €685 million in provisions for the proceedings it is facing (included in the line "Provisions for taxes and other legal contingencies" in the consolidated balance sheet) (see Note 24), of which €524 million correspond to legal contingencies and €161 million to tax related matters. However, the uncertainty arising from these proceedings (including those for which no provisions have been made, either because it is not possible to estimate them or for other reasons) makes it impossible to guarantee that the possible losses arising from these proceedings will not exceed, where applicable, the amounts that the Group currently has provisioned and, therefore, could affect the Group's consolidated results in a given period.

As a result of the above, legal and regulatory actions and proceedings currently faced by the Group or to which it may become subject in the future or otherwise affected by, individually or in the aggregate, if resolved in whole or in part adversely to the Group's interests, could have a material adverse effect on the Group’s business, financial condition and results of operations.

Spanish judicial authorities are investigating the activities of Centro Exclusivo de Negocios y Transacciones, S.L. (Cenyt). Such investigation includes the provision of services by Cenyt to the Bank. On July 29, 2019, the Bank was named as an investigated party (investigado) in a criminal judicial investigation (Preliminary Proceeding No. 96/2017 – Piece No. 9, Central Investigating Court No. 6 of the National High Court) for alleged facts which could be constitutive of bribery, revelation of secrets and corruption. On February 3, 2020, the Bank was notified by the Central Investigating Court No. 6 of the National High Court of the order lifting the secrecy of the proceedings. Certain current and former officers and employees of the Group, as well as former directors have also been named as investigated parties in connection with this investigation. The Bank has been and continues to be proactively collaborating with the Spanish judicial authorities, including sharing with the courts information obtained in the internal investigation hired by the entity in 2019 to contribute to the clarification of the facts. As of the date of the preparation of the Consolidated Financial Statements, no formal accusation against the Bank has been made.

This criminal judicial proceeding is at the pre-trial phase. Therefore, it is not possible at this time to predict the scope or duration of such proceeding or any related proceeding or its or their possible outcomes or implications for the Group, including any fines, damages or harm to the Group’s reputation caused thereby.

Climate change risks

Climate change presents short, medium and long-term risks to the Group and its customers, and these risks are expected to increase over time. The Group's activities or those of its customers and/or counterparties could be negatively affected by, among others, the following risks:

  • Transition Risks: Risks linked to the transition to a low-carbon economy as a response to climate change, and that come from changes in legislation, the market, consumers, etc., to mitigate and address the requirements derived from climate change. Transition risks include:
    • Legal and regulatory risks: Legislative or regulatory changes related to the way banks manage climate risk or that otherwise affect banking practices or the disclosure of climate-related information may lead to increased costs and compliance, operational and credit risks. Group customers and counterparties may also face similar challenges.
    • Technological risks: Among others, those risks derived from the transition costs to low-emission technologies or from non-adaptation to them, which could eventually reduce the credit capacity of the Group's customers.
    • Market risks: BBVA is exposed to risks of a considerable increase in the cost of financing for customers with greater exposure to climate change risk, in such a way that their solvency or credit rating is affected. BBVA is also exposed to risks derived from changes in demand, changes in supply or the cost of energy, among others.
    • Reputational risks: The perception of climate change as a risk by society, shareholders, customers, governments and other interested parties continues to increase, encompassing the operations and strategy of the financial sector. This may lead to increased scrutiny of activities, policies, objectives and the way in which aspects related to climate change are disclosed. The Group's reputation may be damaged if its efforts to reduce environmental and social risks are deemed insufficient.
  • Physical risks: Risks that come from climate change and can be caused by greater frequency and severity of extreme weather events or long-term weather changes, and that can lead to physical damage to the assets of the Group or its customers, the interruption of their operations, disruptions in the supply chain or increased expenses necessary to deal with them, thus impacting the value of assets or the solvency of customers.

Any of these factors may have a material adverse effect on the Group’s business, financial condition and results of operations.