56.7. Operational risk

The Bank’s operational risk is defined in accordance with the requirements of the Polish Financial Supervision Authority included in Recommendation M as the possibility of incurring a loss or an unreasonable cost through the fault of inappropriate or unreliable internal processes, people, technical systems or as a result of external factors. It comprises legal but not strategic risk. Operational risk as such is inherent in any banking operations.

Operational risk is managed with a view to reducing the losses and costs resulting from the aforesaid risk, ensuring top quality of the services provided by the Group in addition to security and compliance of the Group’s operations with the applicable laws and standards.

Operational risk management consists in employment of measures aimed at operational risk identification, analysis, monitoring, control, reporting and mitigating. Such measures take into account the structures, processes, resources and scopes of responsibilities for the said processes at various organisational levels. The operational risk management strategy has been described in the Operational Risk Management Strategy of BNP Paribas Bank Polska S.A., which was approved by the Management Board of the Bank and accepted by the Supervisory Board. The Operational Risk Policy of BNP Paribas Bank Polska S.A., adopted by the Management Board of the Bank, constitutes organisational framework and standards for operational risk management. It addresses all aspects of the Bank’s operations in addition to defining the Bank’s objectives and the methods of their achievement as regards the quality of operational risk management as well as compliance with legal requirements set out in the recommendations and resolutions issued by national financial supervision authorities. The Bank’s operational risk management objectives include, in particular, compliance with high operational risk management that guarantee security of customer deposits, the Bank’s equity, stability of its financial performance as well as maintenance of the operational risk level within the range of the operational risk appetite and tolerance defined by the Bank. When developing the operational risk management system, the Bank complies with the applicable legal requirements, in particular, with the recommendations and resolutions of the national financial supervision authorities and the standards adopted by the BNP Paribas Group.

In accordance with the Policy, the Bank’s operational risk management instruments include:

• tools used for purposes of recording operational events, together with the principles of their recording, allocation and reporting;
• operational risk analysis, its monitoring and daily control;
• counteracting an elevated level of operational risk, to include risk transfer;
• calculation of the capital requirement related to the operational risk.

Compliance with the operational risk policy is verified by the Bank’s Management Board periodically and, if necessary, the required adjustments are made in order to improve the system. To this end, the Management Board of the Bank is regularly provided with information concerning the scale and types of operational risk to which the Bank is exposed, its effects and management methods.

The Bank precisely defines the roles and responsibilities in the operational risk management process, considering its organisational structure. The Operational Risk Department is responsible for daily operational risk analysis in addition to development of appropriate risk control and mitigation techniques and their improvement. Development and implementation of the Bank’s strategy with respect to insurance as a risk mitigation technique is the responsibility of the Real Estate and Administration Department, while the Security and Management of Business Continuity Department is in charge of business continuity management.

As part of the legal risk management process, the Legal Division monitors, identifies and performs analyses of changes to laws of general application and their effect on the Group’s operations, in addition to court and administrative proceedings which affect the Group. The Compliance Monitoring Department is responsible for daily non-compliance risk analysis in addition to development of appropriate risk controls and their improvement.

Considering the elevated level of external and internal risks related to fraud and offense against the assets of the Bank and its customers, the Bank has extended the scope of and improved its processes aimed at counteracting, detecting and examining such cases, which is entrusted with the Fraud Prevention Department.

The Bank places a strong focus on identification and assessment of the factors that trigger its present exposure to operational risk in relation to banking products. It is the Bank’s objective to reduce the operational risk level through improvement of its internal processes as well as mitigating the risk inherent in the process of launching new products and services and outsourcing operations to third parties.

In accordance with the Operational Risk Management Policy of BNP Paribas Bank Polska S.A., the operational risk analysis is aimed at acquiring an understanding of the interdependence between the risk generating factors and operational event types, and it is performed primarily with the objective to define the operational risk profile.

The operational risk profile is an assessment of the level of significance of this risk, understood as the scale and structure of operational risk exposures, determining the exposure levels to this risk (i.e. operational losses), expressed in the structural dimensions selected by the Bank and the scale dimensions. Periodic assessment and review of the Bank’s operational risk profile is based on an analysis of the Bank’s current risk parameters, changes and risks occurring in the Bank’s environment, implementation of the business strategy, as well as the adequacy of the organisational structure and the effectiveness of the risk management and internal control system.

Keeping a track record of operational events enables efficient operational risk analysis and monitoring. The process of operational event recording is overseen by the Operational Risk Department, which assumes responsibility for verification of the quality and completeness of data concerning operational events recorded in dedicated tools available to all organisational units of the Bank.

The purpose of internal control is effective risk control, including risk prevention or early detection. The role of the internal control system is to achieve general and specific objectives of the internal control system, which should be considered at the design stage of control mechanisms. The principles of the internal control system are described in the „Policy on internal control at BNP Paribas Bank Polska S.A.” document, approved by the Bank’s Management Board. This document describes the main principles, organisational framework and standards for the functioning of the control environment at the Bank, complying with the PFSA requirements provided in Recommendation H and the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and the internal control system, the remuneration policy and the detailed method of estimating internal capital in banks. Detailed internal regulations concerning specific areas of the Bank’s activity are adapted to the specifics of the Bank’s operations. The appropriate organisational units of the Bank, in accordance with the scope of the tasks assigned to them, are responsible for developing detailed regulations relating to the area of internal control.

The internal control system at the Bank is based on the 3 defence lines model, which consists of:

• 1st defence line, which consists of organisational units from particular areas of banking and support areas,
• 2nd defence line, which consists of organisational units responsible for risk management, regardless of the risk management related to the first line defence, and the compliance unit,
• 3rd defence line, which is independent and objective internal audit unit.

The Bank ensures internal control through independent monitoring of compliance with control mechanisms, including on-going verification and testing.

The Bank periodically monitors the efficiency of the operational risk management system and its appropriateness for its current risk profile. The organisation of the operational risk management system is reviewed as part of periodic control exercised by the Internal Audit Division, which is not directly involved in the operational risk management process but provides professional and unbiased opinions supporting achievement of the Bank’s objectives. The operational risk management system is overseen, and its appropriateness and efficiency are assessed by the Supervisory Board.

The Bank estimates its regulatory capital necessary to cover operational risk in accordance with the applicable regulations. The said calculation is performed using the standard approach (STA). Requirements regarding Bank’s subsidiaries, to be disclosed in the consolidated financial statements, are determined in accordance with the base indicator method (BIA).

In accordance with supervisory regulations, the Bank supervises operational risk related to the operations of its subsidiaries. Operational risk management in subsidiaries is performed in dedicated units / persons appointed for this purpose. The method of operational risk management in subsidiaries is organised adequately to the scope of the particular entity’s activity and the profile of its operations, in accordance with the rules applied in the Bank.

As part of operational risk management, the Bank conducts activities in the area of ongoing risk analysis related to the pandemic of the COVID-19 pandemic, and undertakes appropriate measures to ensure the safety of employees and clients of the Bank and to ensure uninterrupted implementation of processes related to the conducted business activities.