Annual report 2019

Operational risk

The Bank defines operational risk in accordance with the requirements of the Polish Financial Supervision Authority included in Recommendation M as the possibility of incurring a loss or an unjustified cost through the fault of inappropriate or unreliable internal processes, people, technical systems or as a result of external factors.

It incorporates legal risk, but does not include strategic risk. Operational risk is inherent in any type of banking operations.

Operational risk management system

The Bank maintains and develops an operational risk management system that comprehensively integrates the management of individual types of operational risk in all areas of the Bank’s operations. The objective of the operational risk management system is to ensure the safety of the Bank’s operations by implementing effective mechanisms for identification, assessment and quantification, monitoring, control, reporting and taking actions aimed at reducing operational risk. Such measures take into account the structures, processes, resources and scopes of responsibilities for the aforementioned processes at various organisational levels within the Bank.

The operational risk management strategy is described in the “Operational Risk Management Strategy of BNP Paribas Bank Polska S.A.”, approved by the Management Board of the Bank and endorsed by the Supervisory Board. “The Operational Risk Policy BNP Paribas Bank Polska S.A.”, adopted by the Management Board of the Bank, includes the organisational framework and standards for operational risk management. These documents address all areas of the Bank’s operations as well as define the Bank’s objectives and methods achieving them with regard to the quality of operational risk management and compliance with legal requirements set out in the recommendations and resolutions issued by local banking supervision authorities.

The Bank’s objectives

The Bank’s operational risk management objectives include, in particular, compliance with high operational risk management standards that guarantee security of customer deposits, the Bank’s equity, stability of its financial result as well as maintenance of the operational risk level within the range of the operational risk appetite and tolerance defined by the Bank. While developing the operational risk management system, the Bank complies with the applicable legal requirements, in particular the recommendations and resolutions of the national financial supervision authorities and the standards adopted by the BNP Paribas Group.

In accordance with the “The Operational Risk Policy BNP Paribas Bank Polska S.A.”, the Bank’s operational risk management instruments include:

  • tools used to record operational events, together with the principles of their recording, allocation and reporting;
  • operational risk analysis, its monitoring and ongoing control;
  • counteracting elevated operational risk levels, including risk transfer;
  • calculation of the capital requirement related to operational risk.

Compliance with the operational risk policy is verified by the Bank’s Management Board periodically and, if necessary, the required adjustments are made in order to improve the system. To that purpose, the Management Board of the Bank is regularly provided with information concerning the scale and types of operational risk to which the Bank is exposed, its effects and management methods.

The Bank precisely defines the roles and responsibilities in the operational risk management process, considering its organisational structure. The Operational Risk Department is responsible for day-to-day operational risk analysis in addition to development of appropriate risk control and mitigation techniques and their improvement. Development and implementation of the Bank’s strategy with respect to insurance as a risk mitigation technique is the responsibility of the Real Estate and Administration Department, while the Security and Continuity of Business Management (CoB) Department focuses on management of continuity of business.

As part of the legal risk management process, the Legal Division monitors, identifies and performs analyses of changes to laws of general application and their effect on the Bank’s operations, in addition to court and administrative proceedings which affect the Bank. The Compliance Department is responsible for day-to-day compliance risk analysis as well as development of appropriate risk control techniques and their improvement.

Considering the elevated level of external and internal risks related to fraud and offence against the assets of the Bank and its customers, the Bank has extended the scope of and improved its processes aimed at counteracting, detecting and examining such cases, which is the responsibility of the Fraud Management Department.

The Bank places a strong focus on identification and assessment of the factors that trigger its present exposure to operational risk in relation to banking products. It is the Bank’s objective to reduce the operational risk level through improvement of its internal processes as well as mitigating the risk inherent in the process of launching new products and services and outsourcing operations to third parties.

In accordance with the “The Operational Risk Policy BNP Paribas Bank Polska S.A.”., operational risk analysis is aimed at acquiring an understanding of the interdependence between the risk generating factors and operational event types, and it is performed primarily with the objective to define the operational risk profile.

The operational risk profile is the assessment of materiality of the risk, which is understood as the scale and structure of the operational risk exposure, defining the degree of exposure to the operational risk (operational losses), within the structural dimensions selected by the Bank (key process areas) and the scale dimensions. Periodic assessment and review of the Bank’s operational risk profile is based on an analysis of the Bank’s current risk parameters, changes and risks occurring in the Bank’s environment, implementation of the business strategy, as well as the adequacy of the organisational structure and the effectiveness of the risk management and internal control system.

Keeping a track record of operational events enables efficient operational risk analysis and monitoring. The process of operational event recording is overseen by the Operational Risk Department, which is responsible for verification of the quality and completeness of data concerning operational events recorded in dedicated tools available to all organisational units of the Bank.

The purpose of internal control is effective risk control, including risk prevention or early detection. The role of the internal control system is to achieve general and specific objectives of the internal control system, which should be considered at the design stage of control mechanisms. The principles of the internal control system are described in the „Policy on internal control at BNP Paribas Bank Polska S.A.”, approved by the Bank’s Management Board. This document describes the main principles, organisational framework and standards for the functioning of the control environment in the Bank, complying with the PFSA requirements provided in Recommendation H. Detailed internal regulations concerning specific areas of the Bank’s activity are adapted to the specifics of the Bank’s operations. The appropriate organisational units of the Bank, in accordance with the scope of the tasks assigned to them, are responsible for developing detailed regulations relating to the area of internal control.

The internal control system in the Bank is based on the 3 lines of defence model, which consists of:

  • 1st line of defence, which are organisational units from particular areas of banking and support areas,
  • 2nd line of defence, which are organisational units responsible for risk management, regardless of the risk management related to the first line of defence, and the compliance unit,
  • 3rd line of defence, which is the independent and impartial internal audit unit.

The Bank ensures internal control through independent monitoring of compliance with control mechanisms, including ongoing verification and testing.

The Bank periodically monitors the efficiency of the operational risk management system and its appropriateness for its current risk profile. The organisation of the operational risk management system is reviewed as part of periodic control exercised by the Internal Audit Division, which is not directly involved in the operational risk management process but provides professional and independent opinions supporting achievement of the Bank’s objectives. The Supervisory Board oversees the control of the operational risk management system and assesses its adequacy and effectiveness.

Operational risk capital requirements

In accordance with the applicable regulations, the Bank determines regulatory capital to cover the operational risk. The Bank uses the standardised approach (STA) for calculation of the capital requirement. Subsidiaries of the Bank, on a consolidated basis, determine the capital requirements according to the basic indicator approach (BIA).

Operational risk management in the Bank’s subsidiaries

In accordance with supervisory regulations, the Bank supervises the operational risk related to the operations of its subsidiaries. Supervision is performed in the form of:

  • the Bank’s participation in developing and modifying operational risk management policies in its subsidiaries;
  • providing substantive support in the field of operational risk management methods;
  • participation of the Bank’s representatives in selected activities in the field of operational risk management in subsidiaries;
  • verification of compliance of operational risk management in subsidiaries with the strategy and policy of the Bank and the BNP Paribas Group.

As part of the implemented operational risk strategy and policy, subsidiaries of the Bank introduce, in particular, the principles of operational risk management and create organisational units (independent positions or functions) responsible for operational risk management. At the same time, they cooperate in this respect with the Operational Risk Department, which ensures the implementation of supervisory activities over the operational risk management processes in the Group. Moreover, the Bank’s subsidiaries adopted the definitions of risks in line with the definitions applied by the Bank for the needs of operational risk management. In accordance with the requirements of supervisory regulations, the Bank records operational losses of its subsidiaries on the basis of information provided by these entities.

Search results