The Bank defines operational risk in accordance with the requirements of the Polish Financial Supervision Authority included in Recommendation M as the possibility of incurring a loss or an unjustified cost through the fault of inappropriate or unreliable internal processes, people, technical systems or as a result of external factors. It incorporates legal risk, but does not include strategic risk. Operational risk is inherent in any type of banking operations. The Bank identifies operational risk as permanently significant.
Operational risk management system
The Bank maintains and develops an operational risk management system that comprehensively integrates the management of individual types of operational risk in all areas of the Bank’s operations. The objective of the operational risk management system is to ensure the safety of the Bank’s operations by implementing effective mechanisms for identification, assessment and quantification, monitoring, control, reporting and taking actions aimed at reducing operational risk. Such measures take into account the structures, processes, resources and scopes of responsibilities for the aforementioned processes at various organisational levels within the Bank
The operational risk management strategy is described in the “Operational Risk Management Strategy of BNP Paribas Bank Polska S.A.”, approved by the Management Board of the Bank and endorsed by the Supervisory Board. “The Operational Risk Policy BNP Paribas Bank Polska S.A.”, adopted by the Management Board of the Bank, includes the organisational framework and standards for operational risk management. These documents address all areas of the Bank’s operations as well as define the Bank’s objectives and methods achieving them with regard to the quality of operational risk management and compliance with legal requirements set out in the recommendations and resolutions issued by local banking supervision authorities.
The Bank’s operational risk management objectives include, in particular, compliance with high operational risk management standards that guarantee security of customer deposits, the Bank’s equity, stability of its financial result as well as maintenance of the operational risk level within the range of the operational risk appetite and tolerance defined by the Bank. The main measure used to measure risk within the adopted appetite for operational risk is the ratio of operational losses recorded by the Bank over the adopted time period. While developing the operational risk management system, the Bank complies with the applicable legal requirements, in particular the recommendations and resolutions of the national financial supervision authorities and the standards adopted by the BNP Paribas Group.
In accordance with the “The Operational Risk Policy BNP Paribas Bank Polska S.A.”, the Bank’s operational risk management processes include:
- the identification and assessment of operational risk through the collection of information on operational events, the assessment of risks in processes and products and the determination of key risk indicators,
- setting the operational risk appetite and limits at the level of the entire Bank and individual business areas analysis of operational risk and its monitoring and ongoing control,
- preventing an increased level of operational risk, including risk transfer.
Compliance with the operational risk policy is verified by the Bank’s Management Board periodically and, if necessary, the required adjustments are made in order to improve the system. To that purpose, the Management Board of the Bank is regularly provided with information concerning the scale and types of operational risk to which the Bank is exposed, its effects and management methods. In particular, both the Bank’s Management Board and the Supervisory Board are regularly informed about the development of the operational risk appetite measures specified in the Operational Risk Management Strategy.
The Bank precisely defines the roles and responsibilities in the operational risk management process, considering its organisational structure. The operational risk management process is implemented through three lines of defence. The first line of defence consists of risk management in the operational activities of the Bank. The second line of defence includes, in particular, risk management by employees of specially appointed organisational units, independent of the risk management of the first line of defence, and the activities of the compliance function. The third line of defence involves the activities of the internal audit department.
Within the second line of defence, comprehensive supervision of the organisation of operational risk management standards and methods is exercised by the Operational Risk Department operating within the Risk Area. The definition and implementation of the Bank’s strategy with regard to insurance, as a method of risk mitigation, is the responsibility of the Real Estate and Administration Department. Business continuity management, on the other hand, is the responsibility of the Security and Business Continuity Management Division.
As part of the legal risk management process, the Legal Division monitors, identifies and performs analyses of changes to laws of general application and their effect on the Bank’s operations, in addition to court and administrative proceedings which affect the Bank. The Compliance Department is responsible for day-to-day compliance risk analysis as well as development of appropriate risk control techniques and their improvement.
In view of the increase in external and internal threats bearing the characteristics of fraud or crime against the assets of the Bank and its customers, the Bank has expanded and improved its processes for prevention, detection and investigation of such cases. The Fraud Prevention Department, as the second line of defence, supervises the activities performed in this area. The Bank’s Management Board and the Risk Committee of the Supervisory Board are informed about the effectiveness of solutions implemented by the Bank in this area.
Risk identification and assessment
The Bank places a strong focus on identification and assessment of the factors that trigger its present exposure to operational risk in relation to banking products. It is the Bank’s objective to reduce the operational risk level through improvement of its internal processes as well as mitigating the risk inherent in the process of launching new products and services and outsourcing operations to third parties.
In accordance with the “The Operational Risk Policy BNP Paribas Bank Polska S.A.”, operational risk analysis is aimed at acquiring an understanding of the interdependence between the risk generating factors and operational event types, and it is performed primarily with the objective to define the operational risk profile.
The operational risk profile is the assessment of materiality of the risk, which is understood as the scale and structure of the operational risk exposure, defining the degree of exposure to the operational risk (operational losses), within the structural dimensions selected by the Bank (key process areas) and the scale dimensions. Periodic assessment and review of the Bank’s operational risk profile is based on an analysis of the Bank’s current risk parameters, changes and risks occurring in the Bank’s environment, implementation of the business strategy, as well as the adequacy of the organisational structure and the effectiveness of the risk management and internal control system.
Internal control system
The purpose of internal control is effective risk control, including risk prevention or early detection. The role of the internal control system is to achieve general and specific objectives of the internal control system, which should be considered at the design stage of control mechanisms. The principles of the internal control system are described in the „Policy on internal control at BNP Paribas Bank Polska S.A.”, approved by the Bank’s Management Board. This document describes the main principles, organisational framework and standards for the functioning of the control environment in the Bank, complying with the PFSA’s requirements provided in Recommendation H. Detailed internal regulations concerning specific areas of the Bank’s activity are adapted to the specifics of the Bank’s operations. The appropriate organisational units of the Bank, in accordance with the scope of the tasks assigned to them, are responsible for developing detailed regulations relating to the area of internal control
The internal control system in the Bank is based on the 3 lines of defence model.
The Bank ensures the exercise of internal control through independent monitoring of compliance with controls, including ongoing verification and testing. The Bank strengthened the control environment in 2021 by, among other things, developing a tool to record and manage testing of the internal control environment.
Control and monitoring
The Bank periodically monitors the efficiency of the operational risk management system and its appropriateness for its current risk profile. The organisation of the operational risk management system is reviewed as part of periodic control exercised by the Internal Audit Division, which is not directly involved in the operational risk management process but provides professional and independent opinions supporting achievement of the Bank’s objectives. The Supervisory Board oversees the control of the operational risk management system and assesses its adequacy and effectiveness.
Operational risk capital requirements
In accordance with the applicable regulations, the Bank determines regulatory capital to cover the operational risk. The Bank uses the standardised approach (STA) for calculation of the capital requirement. Subsidiaries of the Bank, on a consolidated basis, determine the capital requirements according to the basic indicator approach (BIA).
Operational risk management in the Bank’s subsidiaries
In accordance with supervisory regulations, the Bank supervises the operational risk related to the operations of its subsidiaries. Operational risk management in subsidiaries is carried out within dedicated units / persons appointed for this purpose. The manner and methods of operational risk management in subsidiaries are organised adequately to the scope of operations of the entity and its business profile, in accordance with the principles in force at the Bank.