56.7. Operational risk

The Bank’s operational risk is defined in accordance with the requirements of the Polish Financial Supervision Authority included in Recommendation M as the risk of incurring a loss through the fault of inappropriate or unreliable internal processes, people, technical systems or as a result of external factors. It comprises legal but not strategic risk. Operational risk as such is inherent in any banking operations. The Bank identifies the risk as permanently significant.

Operational risk is managed with a view to reducing the losses and costs resulting from the aforesaid risk, ensuring top quality of the services provided by the Group in addition to security and compliance of the Group’s operations with the applicable laws and standards.

Operational risk management consists in employment of measures aimed at operational risk identification, analysis, monitoring, control, reporting and mitigating. Such measures take into account the structures, processes, resources and scopes of responsibilities for the said processes at various organizational levels. The operational risk management strategy has been described in the Operational Risk Management Strategy of BNP Paribas Bank Polska S.A., which was approved by the Management Board of the Bank and accepted by the Supervisory Board. The Operational Risk Policy of BNP Paribas Bank Polska S.A., adopted by the Management Board of the Bank, constitutes organizational framework and standards for operational risk management. It addresses all aspects of the Bank’s operations in addition to defining the Bank’s objectives and the methods of their achievement as regards the quality of operational risk management as well as compliance with legal requirements set out in the recommendations and resolutions issued by national financial supervision authorities. The Bank’s operational risk management objectives include, in particular, compliance with high operational risk management that guarantee security of customer deposits, the Bank’s equity, stability of its financial performance as well as maintenance of the operational risk level within the range of the operational risk appetite and tolerance defined by the Bank. When developing the operational risk management system, the Bank complies with the applicable legal requirements, in particular, with the recommendations and resolutions of the national financial supervision authorities and the standards adopted by the BNP Paribas Group.

In accordance with the Policy, the Bank’s operational risk management instruments include:

• identification and assessment of operational risk, including through gathering information on operational events, assessment of the risk in processes and products and determination of key risk indicators;
• setting the operational risk appetite and limits at the level of the whole Bank and individual business areas; analysing operational risk, its monitoring and ongoing control;
• counteracting an elevated level of operational risk, to include risk transfer.

Compliance with the operational risk policy is verified by the Bank’s Management Board periodically and, if necessary, the required adjustments are made in order to improve the system. To this end, the Management Board of the Bank is regularly provided with information concerning the scale and types of operational risk to which the Bank is exposed, its effects and methods of operational risk management. In particular, both the Bank’s Management Board and Supervisory Board are informed on a regular basis of the development of the operational risk appetite measures set out in the Operational Risk Management Strategy.

The Bank precisely defines the roles and responsibilities in the operational risk management process, considering its organizational structure. The Operational Risk Department, operating within the risk management area, has comprehensive oversight of the organisation of operational risk management standards and methods within the second line of defense. Development and implementation of the Bank’s strategy with respect to insurance as a risk mitigation technique is the responsibility of the Real Estate and Administration Department, while the Security and Management of Business Continuity Division is in charge of business continuity management.

As part of the legal risk management process, the Legal Division monitors, identifies and performs analyses of changes to laws of general application and their effect on the Group’s operations, in addition to court and administrative proceedings which affect the Group. The Compliance Monitoring Department is responsible for daily non-compliance risk analysis in addition to development of appropriate risk controls and their improvement.

Considering the elevated level of external and internal risks related to fraud and offense against the assets of the Bank and its customers, the Bank has been extending the scope of and improved its processes aimed at counteracting, detecting and examining such cases. The Fraud Prevention Department, as the second line of defense, supervises the activities carried out in this area. The Bank’s Management Board and the Risk Committee of the Supervisory Board are informed about the effectiveness of solutions implemented by the Bank in this respect.

The Bank places a strong focus on identification and assessment of the factors that trigger its present exposure to operational risk in relation to banking products. It is the Bank’s objective to reduce the operational risk level through improvement of its internal processes as well as mitigating the risk inherent in the process of launching new products and services and outsourcing operations to third parties.

In accordance with the Operational Risk Management Policy of BNP Paribas Bank Polska S.A., the operational risk analysis is aimed at acquiring an understanding of the interdependence between the risk generating factors and operational event types, and it is performed primarily with the objective to define the operational risk profile.

The operational risk profile is an assessment of the level of significance of this risk, understood as the scale and structure of operational risk exposures, determining the exposure levels to this risk (i.e. operational losses), expressed in the structural dimensions selected by the Bank and the scale dimensions. Periodic assessment and review of the Bank’s operational risk profile is based on an analysis of the Bank’s current risk parameters, changes and risks occurring in the Bank’s environment, implementation of the business strategy, as well as the adequacy of the organizational structure and the effectiveness of the risk management and internal control system.

The purpose of internal control is effective risk control, including risk prevention or early detection. The role of the internal control system is to achieve general and specific objectives of the internal control system, which should be considered at the design stage of control mechanisms. The principles of the internal control system are described in the „Policy on internal control at BNP Paribas Bank Polska S.A.” document, approved by the Bank’s Management Board. This document describes the main principles, organizational framework and standards for the functioning of the control environment at the Bank, complying with the PFSA requirements provided in Recommendation H and the Regulation of the Minister of Finance, Funds and Regional Policy of 8 June 2021 on the risk management system and the internal control system, the remuneration policy in banks. Detailed internal regulations concerning specific areas of the Bank’s activity are adapted to the specifics of the Bank’s operations. The appropriate organizational units of the Bank, in accordance with the scope of the tasks assigned to them, are responsible for developing detailed regulations relating to the area of internal control.

The internal control system at the Bank is based on the 3 defense lines model, which consists of:

• 1st defense line, which consists of organizational units from particular areas of banking and support areas,
• 2nd defense line, which consists of organizational units responsible for risk management, regardless of the risk management related to the first line defense, and the compliance unit,
• 3rd defense line, which is independent and objective internal audit unit.

The Bank ensures internal control through independent monitoring of compliance with control mechanisms, including on-going verification and testing.

The Bank periodically monitors the efficiency of the operational risk management system and its appropriateness for its current risk profile. The organization of the operational risk management system is reviewed as part of periodic control exercised by the Internal Audit Division, which is not directly involved in the operational risk management process but provides professional and unbiased opinions supporting achievement of the Bank’s objectives. The operational risk management system is overseen, and its appropriateness and efficiency are assessed by the Supervisory Board.

The Bank estimates its regulatory capital necessary to cover operational risk in accordance with the applicable regulations. The said calculation is performed using the standard approach (STA). Requirements regarding Bank’s subsidiaries, to be disclosed in the consolidated financial statements, are determined in accordance with the base indicator method (BIA).

In accordance with supervisory regulations, the Bank supervises the operational risk related to the activities of its subsidiaries. Operational risk management in subsidiaries is carried out within dedicated units/persons appointed for this purpose. The manner and methods of operational risk management in subsidiaries are organised adequately to the scope of activity of an entity and its business profile, in accordance with the rules in force in the Group.

As part of operational risk management, the Bank conducts activities in the area of ongoing risk analysis related to the pandemic of the COVID-19 pandemic, and undertakes appropriate measures to ensure the safety of employees and clients of the Bank and to ensure uninterrupted implementation of processes related to the conducted business activities.