Operational risk is defined as the risk that could potentially cause losses due to human error, inadequate or faulty internal processes, system failures or external events.
In 2012, an integrated internal control and operational risk methodology was implemented throughout the Group as a development of the self-evaluation tool Ev-Ro. This methodology identifies risks in organizational areas, generates exercises that prioritize risks according to the estimated residual risk (after incorporating control effects), links risks to processes and establishes an objective risk level for each risk type to identify and manage gaps by comparing it with the residual risk level. The Group has developed a new corporate application to provide the required support for this methodology: STORM (Support Tool for Operational Risk Management), which includes modules of indicators and scenarios.
The operational risk management framework defined for the BBVA Group includes a governance structure based on: three lines of defense with clear specification of responsibilities; policies and procedures that are common to the whole Group; systems for identifying, measuring, monitoring, controlling and mitigating operational risks and losses; and tools and methodologies that quantify operational risk in terms of capital.
Operational risk management framework: three lines of defense
Characteristics of BBVA's Operational Risk management model
BBVA's operational risk management model is designed and coordinated by the Corporate Operational Risk Management function, which is part of Global Risk Management, and the Operational Risk Management (ORM) units, which are located in the Risks units of different countries and business areas. The business or support areas have operational risk managers who answer functionally to them, and are responsible for implementing the model in the day-to-day operations of the areas. This gives the Group a view of risks at the process level, where risks are identified and prioritized and mitigation decisions are made. Following a bottom up approach, this system enables a general view in each level.
To carry out this task, BBVA has several tools already running that cover both qualitative and quantitative aspects of operational risk:
- Operational Risk management tool: The new corporate tool STORM was implemented throughout the Group in 2012. At the same time, the Ev-Ro exercises were updated for the last time at the start of 2012 and were used as a benchmark for the mitigation of risks at the Operational Risk Management committee meetings of the business and support units held during the year.
- Indicators: During 2012 and at the start of 2013 the old indicator tool TransVaR was transformed into indicators anchored in the main residual risks and their controls. The new model forms part of the STORM tool. The indicators measure the development of risks and their controls over time, generate alert signals, and provide an ongoing measurement of the effectiveness of controls.
- SIRO: Operational risk events nearly always have a negative impact on the Group's income statements. To keep these events under control, they are recorded in a database called SIRO. To ensure reliability, 95% of its inputs are fed directly from accounting data through automatic interfaces. The internal SIRO data are supplemented with information from an external database at the Operational Risk Exchange (ORX) consortium. ORX is a non-profit association founded by twelve international banks in 2002 and currently has 65 members in 18 countries.
The Group has additional tools to assist in handling the data for calculating capital and making other necessary estimations.
The operational risk events are classified according to the risk categories established by Basel II: processes, fraud (internal and external), IT, human resources, commercial practices, disasters and suppliers.
Spain and Mexico quantifies operational risk using internal models based on the Loss Distribution Approach methodology: distribution of losses determined by convoluting the frequency and LGD distribution of operational events, considering a one-year period and a confidence level of 99.9%. The methodology to calculate capital using internal models involves databases of internal operational events, external databases, scenarios and several business environment factors and internal control.
In 2010, the Bank of Spain authorized the Advanced Measurement Approach (AMA) to calculate the capital requirements, consolidated by operational risk in Spain and Mexico, where most of the Group’s assets are allocated. BBVA is as of to this date the only bank authorized by the Bank of Spain to apply advanced models to calculate capital requirements by operational risk. While the basic model is still applied exceptionally, the standard model is used to calculate capital in the rest of the geographical areas.
Admission of operational risk
In 2012 the Corporate Operational Risk management function has revised the admission stage of operational risk, leading to its restructuring.
First, it dealt with the appetite for operational risk, which will be implemented gradually with a top-down perspective. In 2013 it implemented Phase I, with the first loss indicators, and the complete framework will be complete in 2014.
It has also identified the sources of operational risk for which the policies and procedures that manage admission of this risk have to be revised. The sources of operational risk subject to review are: approval of new risks and new products and services; outsourcing; and implementation of new systems and new processes.
The first result of this review of sources of admission was that in 2012 the Global Corporate Risk Management unit prepared a new procedure for approving new businesses, products and services, whose full implementation will be complete in 2013. With this new procedure, BBVA has integrated operational risk management further into the Group's day-to-day operations, and adopted the best practices and recommendations made recently by European bodies and regulators. The improvements introduced for approval of businesses, products and services are:
- A clearer distinction between business and product and/or service.
- A simpler governance, made up of committees with a broader level of representation that combines the global vision of businesses and products in the business and geographical areas.
- A definition of the stages and tasks that the approval processes have to comply with, as well as the people responsible for carrying them out.
- Stronger monitoring of new businesses and products after their approval.
- A key role for the operational risk function, as coordinator and guarantor of the application of the criteria and processes, and for the different specialists involved, who take decisions within their field of expertise.