Operational Risk Management model

BBVA Group’s operational risk management model includes a governance structure based on three lines of defense, with clear specification of responsibilities: a) policies, criteria and processes that are common to the whole Group; b) systems prepared to identify, measure, monitor, control and mitigate operational risks; and c) tools and methodologies that quantify operational risks in terms of capital.

Operational risk management in BBVA is carried out by the business and support units into which each country is organized. Each country has its own Internal Control and Operational Risk (Control Internto y Riesgo Operacional - CIRO) unit. In turn, there is an internal control and operational risk unit in each business and support area reporting to the country CIRO. This gives the Group a view of risks at the process level, where risks are identified and prioritized and mitigation decisions are made. Following a bottom up approach, this system enables a general view in each level.

Each business and support unit has one or more Internal Control and Operational Risk Committees (CIROCs) that meet on a quarterly basis. These committees analyze the information provided by the Group’s tools and make the appropriate mitigation decisions. Above these CIROCs is the Country-level Internal Control and Operational Risk Committee, which deals with more significant risks and their corresponding mitigation plans as well as risks that cut across different areas. The Global Internal Risk and Operational Risk Committee (CGCIRO) is the highest-level body in the parent company, and undertakes a general monitoring of the Group’s main operational risks. At the highest level of all are the governance bodies, which are the main driver of operational risk management within the Group.

Operational risk management in the Group is based on the value-adding drivers generated by the advanced measurement approach (AMA), as follows:

1. Active management of operational risk and its integration into day-to-day decision-making (management) mean:

  • Knowledge of the real losses associated with this risk type (SIRO database).
  • Identification, prioritization and management of real and potential risks.
  • The existence of indicators that enable the Bank to analyze operational risk over time, define warning signals and verify the effectiveness of controls associated with each risk.

The above helps create a proactive model for making decisions about control and business, and for prioritizing the efforts to mitigate relevant risks as well as reducing the Group’s exposure to extreme events.

2. Improved control environment and strengthened corporate culture.

3. Generation of a positive reputational impact.

40. Operational risk management framework: three lines of defense
41. Operational risk management framework: organizational structure