Operational Risk management in BBVA Group must:
- Be aligned with the Risk Appetite statement set out by the Board of Directors of BBVA.
- Predict the potential operational risks to which the Group may be exposed as a result of the emergence or modification of new products, activities, processes or systems and outsourcing decisions and establish procedures to enable their assessment and reasonable mitigation prior to their implementation.
- Establish methodologies and procedures to enable a regular reassessment of the relevant operational risks to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, after considering the identified risk and the cost of mitigation (cost-benefit analysis) and preserving at all times the Group's solvency.
- Identify the causes of the operational losses sustained by the Group and establish measures to enable their reduction. To do so, procedures must be in place to enable the capture and analysis of the operational events causing such losses.
- Analyze the events that may have caused operational risk losses in other entities in the financial sector and drive, where appropriate, the implementation of the measures necessary to prevent their occurrence in the Group.
- Identify, analyze and quantify events with a low probability of occurrence and high impact which, due to their exceptional nature, may possibly not be included in the losses database or, if they are, have unrepresentative impacts, in order to ensure their mitigation.
- Have effective governance in which the functions and responsibilities of the Areas and Bodies involved in OR management are clearly defined.
TABLE 52: Characteristics of the Operational Risk management model
| Soundness | Board Holding - Country - Unit |
|---|---|
| Depth | Model created in 1999 using database since 2002 |
| Integrated management | Capital, budgets, incentives, internal benchmark, culture |
| Forward-looking | Uses future variables for analysis, calculation and mitigation |
| Continuous improvement | Best practices function and continuous updating |
These principles reflect BBVA Group's vision of OR, which is based on the premise that the events that occur as a result of OR have an ultimate cause that should always be identified. The control of the causes significantly reduces the impact of the events. The OR management tools must provide information on the origin of OR and assist in its mitigation.
Irrespective of the adoption of all possible measures and controls to prevent or reduce both the frequency and severity of OR events, BBVA must ensure that it has sufficient capital at all times to cover the expected or unexpected losses that may arise.
In this regard, BBVA Group is committed to preferably applying the advanced measurement approaches for calculating capital use for OR defined by the BIS, unless the risk profile of a specific unit does not justify the assumption of the costs that their implementation entails. Those areas that do not use the advanced measurement approaches must be one level below the advanced approach (standardized approach or equivalent).
Corporate Operational Risk Management (CORM) proposes the general policies that guide management and enable control of the Group's operational risk.
Based on these principles, BBVA Group has drawn up this operational risk management policy, which aims to reasonably ensure (cost-benefit analysis) that the relevant operational risks to which the Group is exposed in carrying out its activities are identified, assessed and managed consistently with the risk appetite statement set out by the Board of Directors of BBVA, preserving the Group's solvency.
To achieve this objective, OR must be managed in BBVA Group from two different and complementary viewpoints:
- The “ex-ante” point of view, which involves identifying, assessing and prioritizing potential operational risks to enable their mitigation.
From this standpoint, OR is managed in a proactive and preventive way by the Areas and Units exposed. This management is integrated into the day-to-day decision-making process (use test) and is focused on the analysis of the causes of OR to enable its mitigation. - The “ex-post” point of view, which involves assessing the exposure to OR and measuring its consequences, i.e. the historical cost of the events that have occurred. From this perspective, OR management uses tools associated with the consequences of OR not only to complement OR management, but also to feed the calculation of capital use for OR for those Group areas that operate under advanced OR measurement approaches.
The elements that enable OR to be managed in BBVA Group from these two standpoints are described below.
6.4.1. Operational Risk management parameters
In order to align operational risk management with the risk appetite statement set out by the Board of Directors, it is necessary to define the Operational Risk management parameters and/or the different types of operational risks faced by the Group in its activities.
These management parameters must incorporate both quantitative and qualitative indicators that enable the Group's operational risk profile to be assessed on a regular basis and act as levers for managing this risk.
CORM is the area responsible for defining these management parameters and reporting periodically on their level of compliance.
6.4.2. Operational Risk admission process
Although strictly speaking there is not a true OR admission process, as the one carried out, for example, in Credit Risk, BBVA Group considers that the assimilation presented in this section is useful for controlling this risk and contributes to its mitigation. The aim of this process is to: anticipate the potential operational risks to which the Group may be exposed as a result of the emergence or modification of new products, activities, processes or systems and outsourcing decisions and ensure that they are implemented only after adopting suitable mitigation measures in each case.
The Group will have a specific governance model for OR admission that will take the form of different Committees that will act as admission vehicles in the different areas in which the emergence of OR is concentrated: new businesses, new products, systems, outsourcing decisions, etc.
Effective and flexible procedures will exist in each of the above areas to enable the carrying out of activities based on best practices. These procedures will have a process vision that makes a distinction between strategic decisions and technical decisions, and will have a simple form of governance with adequate representation.
Effectiveness in the admission procedure will require a full assessment of OR and monitoring of incidents, constraints, events, operational losses, objections, etc. that may appear after the admission.
The responsibility for preparing the corporate procedures related to the approval of operational risks assumed as a result of:
- New products, activities and processes lies with CORM
- Outsourcing decisions lies with Operational Control*) (I&T Technology)
- New systems lies with IT Risk, Fraud & Security (I&T Technology)
6.4.3. Operational Risk monitoring and management/mitigation tools
6.4.3.1. Risk and Control Self-Assessment
An appropriate management of OR requires the establishment of methodologies and procedures to identify, assess and follow this type of risks, in order to implement suitable mitigation measures in each case. This will be done by comparing the level of risk assumed and the cost of mitigation.
BBVA Group's OR management methodology has the following phases:
- Establishment of the model's perimeter, identifying the companies and activities that may give rise to significant OR. These companies and activities are associated with their processes using the taxonomy established by the Group. Processes are the starting point for identifying the OR factors.
- Identification of potential and real OR factors based on the review of the processes, applying self-assessment techniques that are completed and verified against other relevant information.
- Prioritization of the OR factors through the calculation of the inherent risk: estimation of the exposure to risk in an adverse and conservative environment without considering the existence of possible controls. Prioritization is used to separate the critical factors from the non-critical ones by applying cut-off points.
- For critical risks, the controls that contribute to their reduction are identified, documented and tested, and based on their effectiveness the residual risk (which incorporates the reducing effect of the controls, where applicable) is calculated.
- A specific target is set for each critical risk, that constitutes the level of risk considered acceptable. In those risks in which the residual risk is higher than the target risk there is a gap between both that requires that the risk be mitigated through a mitigation plan.
The aim is to have an evolving and dynamic OR management model that reflects the essential aspects of this risk's situation at any given time.
OR management should be coordinated with other risks, considering the credit or market consequences that may have an operational origin.
6.4.3.2. Operational Risk indicators
Dynamic management of OR requires not only a regular self-assessment of OR, but also the definition of a set of indicators to enable the changes in both the risk factors and the effectiveness of the controls to be measured over time, in order to have available information on unexpected changes and enable preventive management of Operational Risk.
Indicators can be associated with risks (Key Risk Indicators, KRI) or with controls (Key Control Indicators, KCI). To provide value, the KRIs must be associated with the causes of operational risk, which will lend them a predictive and proactive nature. An indicator associated with operational risk consequences, claims, losses, etc. generally overlaps with the SIRO database and with its regular analysis of trends, so it provides little value.
KCIs generate the additional value of measuring the control's effectiveness over time and enable a more efficient and dynamic management of OR.
6.4.3.3. Operational losses database
In line with the best practices and recommendations of the BIS, BBVA has procedures in place for collecting operational losses that occur both in the different Group entities and in other financial groups (ORX losses database, ORX News service, etc).
- Internal operational losses database - SIRO.
Through automatic interfaces with accounting and expense and manual capture procedure applications, this tool collects the accounting losses associated with OR events. The losses are captured with no amount limit and constitute an input for calculating the capital use for OR in advanced measurement approaches and a reference for the Risk and Control Self Assessment, and are analyzed on a regular basis in terms of trends and monitoring of expected losses.
- External operational losses database - ORX
The Bank, together with other leading entities worldwide, subscribed with the ORX consortium, as a founding partner, the creation of an external database for anonymously exchanging information related to operational events.
This consortium provides both quantitative and qualitative information on the operational events experienced by the member entities. The information obtained through this means is used both to identify potential ORs and analyze whether appropriate mitigation measures are available, and for the purpose of calculating capital using advanced measurement approaches.
6.4.3.4. Operational Risk scenarios
These reflect the exposure to a limited number of situations that may give rise to very significant losses with a reduced estimated frequency of occurrence. The scenarios feed the capital calculation in those Group areas that operate under advanced measurement approaches, and also constitute a reference for OR management.
6.4.4. Mitigation plans
Mitigation means to reduce the level of exposure to OR. Even though there is always the option of eliminating OR by exiting a given activity, the Group's policy is to attempt to mitigate the risk first by improving the control environment or applying other measures, conducting a rigorous cost-benefit analysis. The different forms of mitigation always have associated costs. It is therefore fundamental to assess the cost of the OR properly before making a decision.
As long as the residual risk exceeds the defined target risk level, mitigation measures will need to be established to keep it within the level. The area responsible for OR will drive its implementation through the Operational Risk Management Committee.
6.4.5. Tools
The procedures and methodologies associated with this Operational Risk Management Policy are embedded in corporate tools that collateral compliance therewith. CORM is responsible for their development and implementation throughout the scope described in section 1.
Tools must be available to prepare quality reporting for the Group's Management and Governing Bodies, Regulators, etc.
All the information will be subjected to a continuous improvement process in order to adapt it to the needs of the Areas, the Group's decision-making bodies, the Regulator or the new requirements envisaged in the future.
The OR Management Units (CORM, Country Operational Risk Management and Operational Risk Management in the Areas) are responsible for reporting the OR model.