1.4.1. General principles of risk management
The aim of the Global Risk Management (GRM) function is to preserve the BBVA Group's solvency, help define its strategy with respect to risk and assume and facilitate the development of its businesses. Its activity is governed by the following principles:
- The risk management function is unique, independent and global.
- The risks assumed by the Group must be compatible with the capital adequacy target and must be identified, measured and assessed. Risk monitoring and management procedures and sound control and mitigation systems must likewise be in place.
- All risks must be managed integrally during their life cycle, and be treated differently depending on their nature and with active portfolio management based on a common measure (economic capital).
- It is each business area’s responsibility to propose and maintain its own risk profile, within its autonomy in the corporate action framework (defined as the set of risk control policies and procedures defined by the Group), using an appropriate risk infrastructure to control risks.
- The infrastructures created for risk control must be equipped with means (in terms of people, tools, databases, information systems and procedures) that are sufficient for their purpose, so that there is a clear definition of roles and responsibilities, thus ensuring efficient assignment of resources among the corporate area and the risk units in business areas.
In the light of these principles, the BBVA Group has developed an integrated risk management system that is structured around three main components:
- A corporate risk management scheme (with a proper segregation of duties and responsibilities).
- A set of tools, circuits and procedures that make up the schemes in the different management models.
- A system of internal control in line with the nature and size of the risks assumed.
1.4.2. Corporate governance layout
The BBVA Group has developed a system of corporate governance that is in line with the best international practices and adapted it to the requirements of the regulators in the country in which its different units operate.
With respect to the risks assumed by the Group, the Board of Directors of the Bank is responsible for establishing the general principles that define the risk objectives profile of the entities, approving the management policies for control and management of these risks and ensuring regular monitoring of the internal systems of risk information and control. The Board is supported in this function by the Executive Committee and the Risk Committee. The main mission of the latter is to assist the Board in carrying out its functions associated with risk control and management.
1.4.3. The risk function
The risk management and control function is distributed among the risk units within the business areas and the Corporate Global Risk Management (GRM) area, which ensures compliance with global policy and strategies. The risk units in the business areas propose and manage the risk profiles within their area of autonomy, though they always respect the corporate framework for action.
The Corporate GRM area combines a vision by risk type with a global vision. It is divided into five units, as follows:
- Corporate Risk Management and Risk Portfolio Management: Responsible for the management and control if the Group’s financial risks.
- Operational and Control Risk: Manages operational risk, internal risk control and internal validation of the measurement models and the acceptance of new risks.
- Technology & Methodologies: Responsible for the management of the technological and methodological developments required for risk management in the Group.
- Technical Secretary: Undertakes technical tests of the proposals made to the Risk Management Committee and the Risk Committee; prepares and promotes the regulations applicable to social and environmental risk management.
- Retail Banking: Has responsibilities in the geographical areas of Turkey, Switzerland and Asia, supports development and innovation in retail banking, supports the Lines of Business (LOBs) in insurance, asset management, consumer finance and collection and payment services. This unit centralizes non-banking risk management (insurance and funds) and the fiduciary risk management of the Retail Banking business.
This structure therefore gives the Corporate GRM area reasonable security with respect to:
- Integration, control and management of all the Group’s risks;
- The application throughout the Group of standard principles, policies and metrics; and
- The necessary knowledge of each geographical area and each business.
This organizational scheme is complemented by various committees, which include the following:
- The Risk Management Committee: This committee is made up of the risk managers from the risk units located in the business areas and the managers of the Corporate GRM area units. Among its responsibilities are the following: establishing the Group's risk strategy (especially as regards policies and structure of this function in the Group); presenting its proposal to the appropriate governing bodies for their approval; monitoring the management and control of risks in the Group; and adopting any actions necessary.
- The Global Risk Management Committee: Made up of the executive managers of the Group's risk unit and those responsible for risks in the different countries and business areas. It reviews the Group’s risk strategy and the main risk projects and initiatives in the business areas.
- The Risk Management Committee: Its permanent members are the Global Risk Management Director, the Corporate Risk Management Director and the Technical Secretary. The other committee members propose the operations that are analyzed at its working sessions. The committee analyzes and, if appropriate, authorizes, financial programs and operations within its scope and submits the proposals whose amounts exceed the set limits to the Risks Committee, when its opinion on them is favorable.
- The Assets and Liabilities Committee (ALCO): The committee is responsible for actively managing structural interest-rate and foreign-exchange risk positions, global liquidity and the Group’s capital resources.
- The Global Corporate Assurance Committee: Its task is to undertake a review at both Group and business unit level of the control environment and the effectiveness of the operational risk internal control and management systems; as well as to monitor and analyze the main operational risks the Group is subject to, including those that are cross-cutting in nature. This committee is therefore the highest operational risk management body in the Group.
- The Technology and Methodologies Committee: The committee decides on the effectiveness of the models and infrastructures developed to manage and control risks integrated in the business areas, within the framework of the operational model of Global Risk Management.
- The New Business and Product Committees: Their functions are to study and, if appropriate, to grant technical approval and implement the new businesses, products and services before they are put on the market; to undertake subsequent control and monitoring for newly authorized products; and to foster business in an orderly way to enable it to develop in a controlled environment in line with the best practices and appetite for risk.
1.4.3.1. The Group's General Risk Policy (appetite for risk)
The BBVA Group's General Risk Policy (appetite for risk) expresses the levels and types of risk that the Bank is prepared to assume to carry out its strategic plan without significant deviations, even in situations of tension. The aim of the organization is not to eliminate all risks, but to assume a prudent level of risks that allows it to generate returns while maintaining acceptable capital and fund levels and generating recurrent earnings.
Senior management is responsible for approving and reviewing the Group's General Risk Policy at least once a year, as well as executing and managing the framework for guaranteeing that the Group's effective risk profile is aligned with the General Risk Policy.
The BBVA Group's risk policy aims to achieve a moderate risk profile through prudent management; a model of universal banking, diversified by geographical areas and types of assets, portfolios and customers; a high international presence, both in emerging and developed countries, while maintaining a medium/low risk profile in each; and sustainable growth over time, with an external credit rating of at least A- in normal circumstances.
The Group's risk policy established by its governing bodies will be developed and implemented across the organization through the Risk Area, which is independent of the business areas. This area will also carry monitor the policy and report periodically to the competent governing bodies on its application and development, with any proposals that it considers appropriate for improvement.
The Group will have an adequate risk culture aimed at ensuring application of its policies and achievement of the objectives set. It will comply at all times with applicable regulations in each jurisdiction in which it operates and with the Group's own internal rules.
A series of basic metrics have been established, essentially related to solvency, liquidity and recurrent earnings. They determine the Group's risk management according to each case and allow the desired objectives to be achieved. The analysis of these elements is carried out both in specific cases and proactively through stress-testing exercises that identify possible threats and thus develop corrective action in advance.
- Solvency: In terms of solvency, BBVA's management aims to maintain a sufficient capital level for the correct development of businesses, even in a situation of severe economic and financial shock.
- Profitability and Recurrence: The Group has the goal of generating recurrent earnings even in a deteriorated economic situation, to guarantee a reasonable level of profitability for shareholders.
- Liquidity and funding: In terms of liquidity and funding, the BBVA Group as a whole, and all its subsidiaries individually, aim to maintain a solid position supported by a stable and diversified funding base, even in moments of tension.
1.4.4. Scope and nature of the risk measurement and reporting systems
Depending on their type, risks fall into the following categories:
- Credit risk
- Market risk
- Operational risk
- Structural risks
There follows a description of the risk measurement systems and tools for each kind of risk.
1.4.4.1. Credit risk
Credit risk arises from the probability that one party to a financial instrument will fail to meet its contractual obligations for reasons of insolvency or inability to pay and cause a financial loss for the other party.
BBVA quantifies its credit risk using two main metrics: expected loss (EL) and economic capital (EC). The expected loss reflects the average value of the losses. It is considered a cost of the business and is associated with the Group’s policy on allowances. Economic capital is the amount of capital considered necessary to cover unexpected losses if actual losses are greater than expected losses.
These risk metrics are combined with information on profitability in value-based management, thus building the profitability-risk binomial into decision-making, from the definition of business strategy to approval of individual loans, price setting, assessment of non-performing portfolios, incentives to areas in the Group, etc.
There are three essential parameters in the process of calculating the EL and EC measurements: the probability of default (PD), loss given default (LGD) and exposure at default (EAD). They are generally estimated using historical information available in the systems, and assigned to operations and customers according to their characteristics. In this context, the credit rating tools (ratings and scorings) assess the risk in each transaction/customer according to their credit quality by assigning them a score, which is used in assigning risk metrics together with other additional information: transaction seasoning, loan to value ratio, customer segment, etc.
Point 4.5.1.7 of this document details the definitions, methods and data used by the Group to estimate and validate the parameters of probability of default (PD), loss given default (LGD) and exposure at default (EAD).
The credit risk for the BBVA Group's global portfolio is measured through a portfolio model that includes the effects of concentration and diversification. The aim is to study the loan book as a whole, and to analyze and capture the effect of the interrelations between the different portfolios.
This model not only provides a more complete calculation of capital requirements, but is also a key tool for credit risk management. It is a core of the Asset Allocation model, which is an efficient portfolio allocation model based on the profitability-risk binomial.
The Portfolio Model considers that risk comes from various sources (it is a multi-factor model). This feature implies that economic capital is sensitive to geographic diversification, a crucial aspect in a global entity like BBVA. In addition, and within the framework of the Asset Allocation project, the sector axis has, together with the geographical, become key for the analysis of business concentration. Finally, the tool is sensitive to concentration in certain credit exposures of the entity’s large clients.
1.4.4.2. Market risk
Market risk is due to the possibility of losses in the value of positions held as a result of changing market prices of financial instruments. It includes three types of risk:
- Interest-rate risk: This is the risk resulting from variations in market interest rates.
- Currency risk: This is the risk resulting from variations in foreign-currency exchange rates.
- Price risk: This is the risk resulting from variations in market prices, either due to factors specific to the instrument itself, or alternatively due to factors which affect all the instruments traded on a specific market.
In addition, for certain positions, other market risks also need to be considered: credit spread risk, basis risk, volatility and correlation risk.
(See Chapter 5 "Market risk in trading book activities”).
1.4.4.3. Operational risk
Operational risk is defined as the one that could potentially cause losses due to human errors, inadequate or faulty internal processes, system failures or external events. (See Chapter 6 "Operational Risk")
1.4.4.4.Structural risks
Below is a description of the different types of structural risk:
- Structural interest-rate risk.
Movements in interest rates lead to changes in a bank’s net interest income and book value, and constitute a key source of asset and liability interest-rate risk. The extent of these impacts will depend on the bank's exposure to changes in interest rates. This exposure is mainly the result of the different maturity and repricing terms of the assets and liabilities on the banking book and the off-balance-sheet positions.
A financial institution’s exposure to adverse changes in market rates is a risk inherent in the banking business, while at the same time representing an opportunity to generate value. That is why the structural interest rate should be managed effectively and have a reasonable relation both to the bank's capital base and the expected economic result. This function is handled by the Balance-Sheet Management unit, within the Financial Management area. Through the Asset and Liability Committee (ALCO) it is in charge of maximizing the Bank's economic value, preserving the net interest income and guaranteeing the generation of recurrent earnings. In pursuance of this, the ALCO develops strategies based on its market expectations, within the risk profile defined by the BBVA Group's management bodies and balance the expected results and the level of risk assumed. BBVA has a transfer pricing system that centralizes its interest-rate risk on ALCO’s books and helps to ensure that balance-sheet risk is being properly managed.
The Corporate Risk Management unit is responsible for controlling and monitoring asset and liability interest-rate risk, acting as an independent unit to guarantee that the risk management and control functions are properly segregated. This policy is in line with the Basel Committee on Banking Supervision recommendations. It constructs the asset and liability interest-rate risk measurements used by the Group's management, as well as designing models and measurement systems and developing monitoring, information and control systems. At the same time, through the Risk Management Committee it carries out the function of risk control and analysis reporting to the main governing bodies, such as the Executive Committee and the Board of Directors' Risk Committee.
BBVA's structural interest-rate risk management procedure has a sophisticated set of metrics and tools that enable its risk profile to be monitored precisely. This model is based on a carefully studied set of hypotheses which aim to characterize the behavior of the balance sheet exactly. The measurement of interest-rate risk includes probabilistic metrics, as well as a calculation of sensitivity to a parallel movement of +/- 100 basis points in the market curves. There is regular measurement of the Bank's earnings at risk (EaR) and economic capital, defined as the maximum adverse deviations in net interest income and economic value, respectively, for a particular confidence level and time horizon. The deviations are obtained by applying a method for simulating interest-rate curves that takes into account other sources of risk in addition to changes in direction, such as changes in the slope and curvature, as well as considering the diversification between currencies and business units. The model is subject to regular internal validation, which includes backtesting.
Each entity’s risk appetite, as determined by the Executive Committee, is expressed through the limit structure, which is one of the mainstays of control policies. Thus, the maximum negative impacts, in terms of both earnings and value, are controlled in each of the Group’s entities through this limits policy.
The risk measurement model is supplemented by analysis of specific scenarios and stress tests. Stress tests have taken on particular importance in recent years, so a greater emphasis has been placed on the analysis of extreme scenarios in a possible breakthrough in both current interest-rate levels and historical correlations and volatility. At the same time, the evaluation of scenarios forecast by the Economic Research Department has been maintained.
- Structural exchange-rate risk.
The Group’s structural exchange-rate risk management aims to minimize the potential negative impact from fluctuations in exchange rates on the book value and on the contribution to earnings of international investments maintained on a long-term basis by the Group.
The Corporate Risk Management unit acts as an independent unit that is responsible for monitoring and analyzing risks, standardizing risk management metrics and providing tools that can anticipate potential deviations from targets. It also monitors the level of compliance of established risk limits, and reports regularly to the Risk Management Committee, the Board of Directors' Risk Committee and the Executive Committee, particularly in the case of deviation or tension in the levels of risk assumed.
The Balance Sheet Management unit, through ALCO, designs and executes the hedging strategies with the main purpose of minimizing the effect of exchange-rate fluctuations on capital ratios, as well as assuring the equivalent value in euros of the foreign-currency earnings of the Group's subsidiaries, adjusting transactions according to market expectations and hedging costs. The Balance Sheet Management area carries out this work by ensuring that the Group's risk profile is at all times adapted to the framework defined by the limits structure authorized by the Executive Committee. To do so, it uses risk metrics obtained according to the corporate model designed by the Global Risk Management area.
The corporate model is based on simulating exchange-rate scenarios according to historical trends, and evaluating the impact on capital ratios, equity and the Group's income statement. This provides a distribution of the impact on the three core elements, which helps determine their maximum adverse deviation for a particular confidence level and time horizon, depending on market liquidity in each currency. The risk measurements are completed with analysis of scenarios, stress testing and backtesting, thus giving a complete overview of the Group’s exposure to structural exchange-rate risk.
- Structural risk in the equity portfolio.
The Corporate Risk Management unit undertakes ongoing monitoring of structural risk in its equity portfolio, in order to constrain the negative impact that an adverse performance by its holdings may have on the Group's solvency and earnings recurrence. This ensures that the risk is maintained within levels that are compatible with BBVA's target risk profile.
The scope of monitoring includes the holdings that the Group has in the capital of other industrial or financial companies with a medium or long-term investment horizon. These holdings therefore include those accounted in the investment portfolio and those that are consolidated in the accounts, although in the latter case changes in value do not have an immediate effect on equity. In order to determine exposure, the positions held in derivatives of underlying assets of the same kind are considered in order to limit portfolio sensitivity to potential falls in prices.
The Global Risk Management corporate area estimates the levels of risk assumed and monitors the level of compliance with the limits set, according to the appetite for risk and as authorized by the Executive Committee. It reports on these levels regularly to the Group's senior management. The mechanisms of risk control and limitation hinge on the key aspects of exposure, earnings and economic capital. Economic capital measurements are also built into the risk-adjusted return metrics to ensure efficient capital management in the Group. The Corporate Risk Management unit is also responsible in Global Risk Management for informing the Executive Committee and Risk Committee on the repercussion on the BBVA Group of critical market situations that could take place in the future. To carry out a more in-depth analysis, stress tests and sensitivity analyses are carried out from time to time against different simulated scenarios, using both past crisis situations and forecasts by BBVA Research as the base. On a monthly basis, backtesting is carried out on the risk measurement model used.
- Liquidity risk.
The aim of liquidity risk management, tracking and control is to ensure, in the short term, that the payment commitments of the BBVA Group entities can be duly met without having to resort to borrowing funds under burdensome terms, or damaging the image and reputation of the entities. In the medium term the aim is to ensure that the Group’s financing structure is ideal and that it is moving in the right direction with respect to the economic situation, the markets and regulatory changes.
(See Chapter 9 "Liquidity Risk and Finance")
1.4.5. Internal control system
The BBVA Group’s internal control system is based on the best practices developed in “Enterprise Risk Management – Integrated Framework” by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as well as in “Framework for Internal Control Systems in Banking Organizations” by the Bank for International Settlements (BIS).
The Group's system for internal control is therefore part of the Integrated Risk Management Framework. This is the system within the Group that involves the Board of Directors, management and its entire staff. It is designed to identify and manage risks facing the Group entities in such a way as to ensure that the business targets established by the Group’s management are met. The Integrated Risk Management Framework is thus made up of specialized units (Compliance, Global Accounting & Information Management, and Legal Services), together with the Corporate Operational Risk Management and Internal Audit functions.
Among the principles underpinning the Internal Control system are the following:
- Its core element is the “process.”
- The form in which the risks are identified, valued and mitigated must be unique for each process; and the systems, tools and information flows that support the internal control and operational risk activities must be unique, or at least be administered fully by a single unit.
- The responsibility for internal control lies with the Group’s business units, and at a lower level, with each of the entities that make them up. Each business unit’s Operational Risk Management Unit is responsible for implementing the system of control within its scope of responsibility and managing the existing risk by proposing any improvements to processes it considers appropriate.
- Given that some business units have a global scope of responsibility, there are cross-cutting control functions which supplement the control mechanisms mentioned above.
- The Operational Risk Management Committee in each business unit is responsible for approving suitable mitigation plans for each existing risk or shortfall. This committee hierarchy culminates at the Group’s Global Corporate Assurance Committee.
- The specialized units promote policies and draw up internal regulations. It is the responsibility of the Corporate Risk Area to develop them further and apply them.
1.4.6. Risk protection and reduction policies. Supervision strategies and processes
The Group applies a credit risk protection and mitigation policy deriving from its business model focused on relationship banking. On this basis, the provision of guarantees may be a necessary instrument but one that is not sufficient when taking risks; this is because for the Group to assume risks, it needs to verify the payment or resource generation capacity to comply with repayment of the risk incurred.
This is carried out through a prudent risk management policy which consists of analyzing the financial risk in a transaction, based on the repayment or resource generation capacity of the credit receiver, the provision of guarantees in any of the generally accepted ways (monetary, collateral or personal guarantees and hedging) appropriate to the risk borne, and lastly on the valuation of the recovery risk (the asset’s liquidity) of the guarantees received.
In the Group, monitoring plays a fundamental role in the risk management process and the scope of action of this function extends to all the phases in this process (acceptance, monitoring and recovery), guaranteeing that each risk is dealt with according to its status and defining and fostering measures to appropriately manage deteriorating risk.
Each business area is responsible for initially monitoring risk quality in its business segment referring to outstanding exposure, outstanding deteriorating exposure and past due exposure. The corporate Monitoring area supervises this function, offering its global vision and fulfilling, amongst others, the following tasks:
- Monitoring the achievement of the asset quality targets.
- Monitoring the outstanding risks that are under watch, deteriorating and past due.
- Monitoring trends in concentration, expected loss and capital use in the main risk groups.
- Benchmarking the risk quality parameters.
- Special monitoring of sensitive portfolios.