Chart 19. Operational risk management framework: Three lines of defense
Chart 20. Characteristics of BBVA’s operational risk management model
Operational risk arises from the probability of human error, inadequate or faulty internal processes, system failures or external events. This definition includes legal risk, but excludes strategic and/or business risk and reputational risk.
Operational risk is inherent to all banking activities, products, systems and processes. Its origins are diverse (processes, internal and external fraud, technology, human resources, commercial practices, disasters and suppliers). Operational risk management is integrated into the BBVA Group’s global risk management structure.
The Group has in place an integrated internal control and operational risk methodology. This methodology identifies risks in organizational areas, generates analyses that prioritize risks according to the estimated residual risk (after incorporating control effects), links risks to processes and establishes an objective risk level for each risk type to identify and manage gaps by comparing it with the residual risk level. The Group has developed a corporate application to provide the required support for this methodology: STORM (Support Tool for Operational Risk Management), which includes modules of indicators and scenarios.
The operational risk management framework defined for the BBVA Group includes a governance structure based on: three lines of defense with clear specification of responsibilities; policies and procedures that are common to the whole Group; systems for identifying, measuring, monitoring, controlling and mitigating operational risks and losses; and tools and methodologies that quantify operational risk in terms of capital.
BBVA’s operational risk management model is designed and coordinated by the Corporate Operational Risk Management function, which is part of Global Risk Management, and the Operational Risk Management (ORM Country) units, which are located in the Risks units of different countries and business areas. The business or support areas have operational risk managers (ORM Business) who report functionally to ORM Country, and are responsible for implementing the model in the day-to-day operations of the areas. This gives the Group a view of risks at the process level, where risks are identified and prioritized and mitigation decisions are made. Following a bottom up approach, this system enables a general view in each level.
To carry out this task, BBVA has several tools already running that cover both qualitative and quantitative aspects of operational risk:
- Operational Risk management tool: The corporate tool STORM was implemented throughout the Group in 2013. The identification and management of the most relevant risks have been key aspects discussed at the Operational Risk Management Committee meetings of the business and support units held throughout the year.
- Indicators. The indicators anchored in the main residual risks and their controls were consolidated in 2013. This model is included in STORM. The indicators measure the development of risks and their controls over time, generate alert signals, and provide an ongoing measurement of the effectiveness of controls. These indicators are defined and monitored by specialists.
- SIRO. Operational risk events nearly always have a negative impact on the Group’s income statements. To keep these events under control, they are recorded in a database called SIRO. To ensure reliability, 95% of its inputs are fed directly from accounting data through automatic interfaces. The internal SIRO data are supplemented with information from an external database at the Operational Risk Exchange (ORX) consortium. ORX is a non-profit association founded by twelve international banks in 2002 and currently has 65 members in 18 countries.
The Group has additional tools to assist in handling the data for calculating capital and making other necessary estimates.
The operational risk events are classified according to the risk categories established by Basel II: processes, fraud (internal and external), IT, human resources, commercial practices, disasters and suppliers.
Spain and Mexico quantifies operational risk using internal models based on the Loss Distribution Approach methodology: distribution of losses determined by the evolution of the frequency and severity distribution of operational events, considering a one-year period and a confidence level of 99.9%. The methodology to calculate capital using internal models involves databases of internal operational events, external databases, scenarios and several business environment factors and internal control.
In 2010, the Bank of Spain authorized the advanced measurement approach (AMA) to calculate the capital requirements, consolidated by operational risk in Spain and Mexico, where most of the Group’s assets are allocated. BBVA is as of to this date the only bank authorized by the Bank of Spain to apply advanced models to calculate capital requirements by operational risk. While the basic model is still applied exceptionally, the standard model is used to calculate capital in the rest of the geographical areas.
The capital resulting from the application of the advanced models is adjusted by factors related to the environment of the country and by internal control factors that depend on the level of mitigation of the weaknesses identified by the controls.
Admission of operational risk
As part of its continuous improvement of the admission stage of operational risk, the CORM function has implemented a new procedure for approving new businesses, products and services. It was put in place in 2013 and will be completed in 2014 with the implementation of a workflow tool to facilitate management and documentation, providing the procedure and the decision-making process with greater reliability and a monitoring capability. With this procedure, BBVA has integrated operational risk management further into the Group’s day-to-day operations, and adopted the best practices and recommendations made recently by European bodies and regulators. The improvements introduced for approval of businesses, products and services are:
- A clearer distinction between business and product and/or service.
- A simpler governance, made up of committees with a broader level of representation that combines the global vision of businesses and products in the business and geographical areas.
- A definition of the stages and tasks that the approval processes have to comply with, as well as the people responsible for carrying them out.
- Stronger monitoring of new businesses and products after their approval.
A key role for the operational risk function, as coordinator and guarantor of the application of the criteria and processes, and for the different specialists involved, who take decisions within their field of expertise.