BBVA Group’s operational risk management model includes a governance structure based on three lines of defense, with clear specification of responsibilities: a) policies and procedures that are common to the whole Group; b) systems prepared to identify, measure, monitor, control and mitigate operational risks and losses; and c) tools and methodologies that quantify operational risk in terms of capital.
40 Operational risk management framework: Three lines of defense
Operational risk management in BBVA is designed and coordinated from the Corporate Operational Risk Management (GCRO) function, belonging to the GRM area, and from the Operational Risk Management (GRO) units, located in the Risk departments of the different countries and business areas. In turn, business or support areas have operational risk managers who report to the aforementioned units, and who are responsible for implementing the model in the areas on a daily basis. This gives the Group a view of risks at the process level, where risks are identified and prioritized and mitigation decisions are made. Following a bottom-up approach, this system provides an overall view at each level.
Each business and support unit has one or more GRO committees that meet on a quarterly basis. These committees analyze the information provided by the Group’s risk tools and make the appropriate mitigation decisions. Above these GRO committees is the country-level GRO Committee, which deals with the most significant risks and their corresponding mitigation plans, as well as risks that cut across different areas. The Global Corporate Assurance Committee (CGCA) is the highest-level body in the parent company, and undertakes a general monitoring of the Group’s main operational risks. The Board of Directors is responsible for establishing the risk control and management policy and for periodically monitoring the internal reporting and control systems.
41 Operational risk management framework: Organizational structure
BBVA is working to improve the operational risk management model along two lines:
- Incorporating specialist control units to obtain a more independent and expert overview and to unify governance of the Group’s control functions.
- Bolstering the operational risk scenarios with a scenario database that can be updated each year. Exhaustive quantification reports are constructed for them under different environments, with the help of independent experts and specialists.
Operational risk management in the Group is based on the value-adding drivers generated by the advanced measurement approach (AMA), as follows:
1. Active management of operational risk and its integration into day-to-day decision-making means:
- Knowledge of the real losses associated with this risk type (SIRO database).
- Identification, prioritization and management of real and potential risks.
- The existence of indicators that enable the Bank to analyze operational risk over time, define warning signals and verify the effectiveness of the controls associated with each risk.
The above helps create a proactive model for making decisions about control and business, and for prioritizing the efforts to mitigate relevant risks as well as reducing the Group’s exposure to extreme events.
2. Improved control environment and strengthened corporate culture.
3. Generation of a positive reputational impact.