BBVA Group's OR management model comprises 3 lines of defense:
1. First line: management in business and support areas (hereinafter the Areas) of the OR in their products, activities, processes and systems.
The Areas must integrate OR management into their day-to-day activities, collaborating in the identification and assessment of risks, establishing the target risk, carrying out the controls and executing the mitigation plans for those risks whose residual risk level is higher than the acceptable one.
In all OR management areas, the Operational Risk Managers (Business ORMs) ensure adequate management of operational risk in their respective areas, promoting the identification of the target risk and ensuring the implementation of the mitigation plans and proper execution of controls. OR management in the units is set out, expressed and followed at the Operational Risk Management Committee (ORM Committee).
2. Second line: the “Corporate Operational Risk Management” (CORM) and “Operational Risk Management” functions at country level, which are independent of the first line, are in charge of designing and maintaining the Group's OR model and verifying its proper application in the different Areas.
Moreover, the activities of this second line of defense include those carried out by the Specialized Control Units: Legal Compliance, Internal Risk Control*), Internal Financial Control, Operational Control, IT Risk, Fraud & Security, as well as those of the Production Managers for Procurement, Real Estate and Services, HR and Strategy and Finance in Spain. The activities carried out by this second line of defense are:
- Identify the main risks in their field of expertise for the Areas, as well as their assessment.
- Define mitigating measures and ensure their implementation by the Areas.
- Assist the Areas in fulfilling their responsibility.
The Holding Specialists provide a cross-cutting vision to the Group's model, establishing risk references and controls for their Local Specialists to collateral an independent, expert and consistent vision.
3. Third line: carried out by BBVA's Internal Audit, which:
- Conducts an independent review of the model, verifying compliance with the corporate policies established and their effectiveness
- Provides independent information on the control environment to the Corporate Assurance Committees
CHART 24: Operational risk management framework: Three lines of defense
