Logotype

Information of Prudential Relevance 2015

3.8. Operational risk

Print this page

3.8.1. Scope and nature of the operational risk measurement and reporting systems

Operational risk is defined as the one that could potentially cause losses due to human errors, inadequate or faulty internal processes, system failures or external events. This definition includes legal risk, but excludes strategic and/or business risk and reputational risk.

Operational risk is inherent to all banking activities, products, systems and processes. Its origins could be highly diverse (processes, internal and external fraud, technology, human resources, commercial practices, disasters and suppliers). Operational risk management is integrated into the BBVA Group’s global risk management structure.

The analysis of the entity’s RWA structure shows that 8% corresponds to Operational Risk.

3.8.2. Operational Risk definition

BBVA accepts the definition of Operational Risk proposed by the Bank for International Settlements (BIS) in Basel: “Operational Risk is defined as the one that could potentially cause losses as a result of human errors, inadequate or faulty internal processes, system failures or external events”. This definition excludes the strategic and/or business risk and the reputational risk (which is managed separately within BBVA Group).

The definition of Operational Risk (OR) in BBVA Group includes the following types of risk:

  • Processes.
  • External and internal fraud.
  • Technological.
  • Human resources.
  • Commercial practices.
  • Disasters.
  • Suppliers.

3.8.3. Operational Risk methodology

The Group has in place an integrated internal control and operational risk methodology.

This methodology identifies risks in organizational areas, generates analyses that prioritize risks according to the estimated residual risk (after incorporating control effects), links risks to processes and establishes an objective risk level for each risk type to identify and manage gaps by comparing it with the residual risk level.

The Corporate Risk Area, through its Corporate Operational Risk Management (CORM) unit, establishes the criteria to apply for determining the BBVA Group companies in which the OR monitoring and management/mitigation tools described in section 6.4.3 should be implemented. These criteria are based on both quantitative and qualitative aspects.

The scope of application of the OR management model revolves around the following elements:

  • Company
  • Process: in general, OR originates in the different activities/processes carried out in the Group.
  • Business line: because the type of the different operational risks to which the Group is exposed, and their impact, is substantially different for each line of business, considering this element is fundamental for effective management of OR.

3.8.4. Model based on 3 lines of defense

BBVA Group’s OR management model comprises 3 lines of defense:

1. First line: OR management in business and support areas (hereinafter the Areas), in their products, activities, processes and systems.

The Areas integrate OR management into their day-to-day activities, collaborating in the identification and assessment of risks, establishing the target risk, carrying out the controls and executing the mitigation plans for those risks whose residual risk level is higher than the acceptable one.

In all OR management areas, the Operational Risk Managers (Business ORMs) ensure adequate management of operational risk in their respective areas, promoting the identification of the target risk and ensuring the implementation of the mitigation plans and proper execution of controls. OR management in the units is set out, expressed and followed at the Operational Risk Management Committee (ORM Committee).

2. Second line: the “Corporate Operational Risk Management” (CORM) and “Operational Risk Management” functions at country level, which are independent of the first line, are in charge of designing and maintaining the Group’s OR model and verifying its proper application in the different Areas.

Moreover, the activities of this second line of defense include those carried out by the Specialized Control Units: Legal Compliance, Internal Risk Control(1), Internal Financial Control, Operational Control, IT Risk, Fraud & Security, as well as those of the Production Managers for Procurement, Real Estate and Services, HR and Strategy and Finance in Spain. The activities carried out by this second line of defense are:

  • Identify the main risks in their field of expertise for the Areas, as well as their assessment.
  • Define mitigating measures and ensure their implementation by the Areas.
  • Assist the Areas in fulfilling their responsibility.

The Holding Specialists provide a cross-cutting vision to the Group’s model, establishing risk references and controls for their Local Specialists to guarantee an independent, expert and consistent vision.

3. Third line: carried out by BBVA’s Internal Audit, which:

  • Conducts an independent review of the model, verifying compliance with the corporate policies established and their effectiveness
(1) Units included in the Risk network.

Chart 25. Operational risk management framework: Three lines of defense

3.8.5. Principles of BBVA’s Operational Risk management model

Operational Risk management in BBVA Group must:

  • Be aligned with the Risk Appetite statement set out by the Board of Directors of BBVA.
  • Predict the potential operational risks to which the Group may be exposed as a result of the emergence or modification of new products, activities, processes or systems and outsourcing decisions and establish procedures to enable their assessment and reasonable mitigation prior to their implementation.
  • Establish methodologies and procedures to enable a regular reassessment of the relevant operational risks to which the Group is exposed, in order to adopt appropriate mitigation measures in each case, after considering the identified risk and the cost of mitigation (cost-benefit analysis) and preserving at all times the Group’s solvency.
  • Identify the causes of the operational losses sustained by the Group and establish measures to enable their reduction. To do so, procedures must be in place to enable the capture and analysis of the operational events causing such losses.
  • Analyze the events that may have caused operational risk losses in other entities in the financial sector and drive, where appropriate, the implementation of the measures necessary to prevent their occurrence in the Group.
  • Identify, analyze and quantify events with a low probability of occurrence and high impact which, due to their exceptional nature, may possibly not be included in the losses database or, if they are, have unrepresentative impacts, in order to ensure their mitigation.
  • Have effective governance in which the functions and responsibilities of the Areas and Bodies involved in OR management are clearly defined.

Table 73. Characteristics of the Operational Risk management model

Soundness Board Holding - Country- Unit
Depth Model created in 1999 using database since 2002
Integrated management Capital, budgets, incentives, internal benchmark, culture
Forward looking Model created in 1999 using database since 2002
Continuous improvement Best practices function and continuous updating

These principles reflect BBVA Group’s vision of OR, which is based on the premise that the events that occur as a result of OR have an ultimate cause that should always be identified. The control of the causes significantly reduces the impact of the events. The OR management tools provide information on the origin of OR and assist in its mitigation.

Irrespective of the adoption of all possible measures and controls to prevent or reduce both the frequency and severity of OR events, BBVA ensures that it has sufficient capital at all times to cover the expected or unexpected losses that may arise.

Corporate Operational Risk Management (CORM) proposes the general policies that guide management and enable control of the Group’s operational risk.

These principles aim to reasonably ensure (cost-benefit analysis) that the relevant operational risks to which the Group is exposed in carrying out its activities are identified, assessed and managed consistently with the risk appetite statement set out by the Board of Directors of BBVA, preserving the Group’s solvency.

The OR is managed in the BBVA Group from two different and complementary viewpoints:

  • The “ex-ante” point of view entails identifying, assessing and prioritizing potential operational risks to enable their mitigation.

From this standpoint, OR is managed in a proactive and preventive way by the Areas and Units exposed. This management is integrated into the day-to-day decision- making process and is focused on the analysis of the causes of OR to enable its mitigation.

  • The “ex-post” point of view entails assessing the exposure to OR and measuring its consequences, i.e. the historical cost of the events that have occurred. From this perspective, OR management uses tools associated with the consequences of OR not only to complement OR management, but also to feed the calculation of capital use for those Group areas that operate under advanced OR measurement approaches.

The elements that enable OR to be managed in BBVA Group from these two standpoints are described below.

3.8.5.1. Operational Risk admission process

Although strictly speaking there is not a true OR admission process, as the one carried out, for example, in Credit Risk, BBVA Group considers that the assimilation presented in this section is useful for controlling this risk and contributes to its mitigation. The aim of this process is to: anticipate the potential operational risks to which the Group may be exposed as a result of the emergence or modification of new products, activities, processes or systems and outsourcing decisions and ensure that they are implemented only after adopting suitable mitigation measures in each case.

The Group has a specific governance model for OR admission embodied in different Committees that are admission vehicles in the different areas in which the emergence of OR is concentrated: new businesses, new products, systems, outsourcing decisions, etc.

3.8.5.2. Operational Risk monitoring and management/mitigation tools

3.8.5.2.1. Risk and Control Self-Assessment

An appropriate management of OR requires the establishment of methodologies and procedures to identify, assess and follow this type of risks, in order to implement suitable mitigation measures in each case. This will be done by comparing the level of risk assumed and the cost of mitigation.

BBVA Group’s OR management methodology has the following phases:

  • Establishment of the model’s perimeter, identifying the companies and activities that may give rise to significant OR. These companies and activities are associated with their processes using the taxonomy established by the Group. Processes are the starting point for identifying the OR factors.
  • Identification of potential and real OR factors based on the review of the processes, applying self-assessment techniques that are completed and verified against other relevant information.
  • Prioritization of the OR factors through the calculation of the inherent risk: estimation of the exposure to risk in an adverse and conservative environment without considering the existence of possible controls. Prioritization is used to separate the critical factors from the non-critical ones by applying cut-off points.
  • For critical risks, the controls that contribute to their reduction are identified, documented and tested, and based on their effectiveness the residual risk (which incorporates the reducing effect of the controls, where applicable) is calculated.
  • A specific target is set for each critical risk, that constitutes the level of risk considered acceptable. In those risks in which the residual risk is higher than the target risk there is a gap between both that requires that the risk be mitigated through a mitigation plan.

The aim is to have an evolving and dynamic OR management model that reflects the essential aspects of this risk’s situation at any given time.

OR management is coordinated with other risks, considering the credit or market consequences that may have an operational origin.

3.8.5.2.2. Operational Risk indicators

Dynamic management of OR requires not only a regular self-assessment of OR, but also the definition of a set of indicators to enable the changes in both the risk factors and the effectiveness of the controls to be measured over time, in order to have available information on unexpected changes and enable preventive management of Operational Risk.

3.8.5.2.3. Operational losses database

In line with the best practices and recommendations of the BIS, BBVA has procedures in place for collecting operational losses that occur both in the different Group entities and in other financial groups (ORX losses database, ORX News service, etc).

Internal operational losses database - SIRO

Through automatic interfaces with accounting and expense and manual capture procedure applications, this tool collects the accounting losses associated with OR events. The losses are captured with no amount limit and constitute an input for calculating the capital use for OR in advanced measurement approaches and a reference for the Risk and Control Self Assessment, and are analyzed on a regular basis in terms of trends and monitoring of expected losses.

External operational losses database - ORX

The Bank, together with other leading entities worldwide, subscribed with the ORX consortium, as a founding partner, the creation of an external database for anonymously exchanging information related to operational events.

This consortium provides both quantitative and qualitative information on the operational events experienced by the member entities. The information obtained through this means is used both to identify potential ORs and analyze whether appropriate mitigation measures are available, and for the purpose of calculating capital using advanced measurement approaches.

3.8.5.2.4. Operational Risk scenarios

These reflect the exposure to a limited number of situations that may give rise to very significant losses with a reduced estimated frequency of occurrence. The scenarios feed the capital calculation in those Group areas that operate under advanced measurement approaches, and also constitute a reference for OR management.

3.8.5.3. Mitigation plans

Mitigation means to reduce the level of exposure to OR. Even though there is always the option of eliminating OR by exiting a given activity, the Group’s policy is to attempt to mitigate the risk first by improving the control environment or applying other measures, conducting a rigorous cost-benefit analysis. The different forms of mitigation always have associated costs. It is therefore fundamental to assess the cost of the OR properly before making a decision.

As long as the residual risk exceeds the defined target risk level, mitigation measures will need to be established to keep it within the level. The area responsible for OR will drive its implementation through the Operational Risk Management Committee.

3.8.6. Methods employed

As set out in Regulation (EU) 575/2013 of the European Parliament and of the Council, for calculating the regulatory capital for operational risk under Basel I, advanced measurement approaches (AMA method) are used for a very significant part of the banking perimeter. Specifically, this method is used in Spain and Mexico, which accumulate most of the Group’s assets.

As already mentioned, in March 2010 the BBVA Group received authorization from the supervisor to apply advanced models for calculating regulatory capital by operational risk in Spain and Mexico.

Save for the cases of Garanti and Bolivia, which apply the basic approach, the standardized approach is used to calculate capital in the rest of the geographical areas.

3.8.6.1. Description of the advanced measurement approaches

The advanced internal model quantifies capital at a confidence level of 99.9% following the LDA (Loss Distribution Approach) methodology. This methodology estimates the distribution of losses by operational event by convoluting the frequency distribution and the loss given default distribution of these events.

The calculations are made using internal data on the Group’s historic losses as its main source of information. To enrich the data from this internal database and to take into account the impact of possible events not yet considered therein, external databases (ORX consortium) are used and the scenarios indicated in point 3.8.5.2.4 are included.

The distribution of losses is constructed for each of the different types of operational risk, which are defined as per Basel Accord cells; i.e. a cross between business line and risk class. In those cases in which there is not sufficient data for a sound analysis, it becomes necessary to undertake cell aggregations, and to do so the business line is chosen as the axis.

In certain cases, a greater disaggregation of the Basel cell has been selected. The objective consists of identifying statistically homogenous groups and a sufficient amount of data for proper modeling. The definition of these groupings is regularly reviewed and updated.

Solvency regulations establish that regulatory capital for operational risk is determined as the sum of individual estimates by type of risk, but allowing the option of incorporating the effect of the correlation among them. This impact has been taken into consideration in BBVA estimates with a conservative approach.

The model of calculating capital in both Spain and Mexico incorporates factors that reflect the business environment and situation of internal control systems. Thus the calculation obtained is higher or lower according to how these factors change in anticipating the result.

As regards the aforementioned factors, current estimates do not include the mitigating effect of insurance.

The following table below shows the operational risk capital requirements broken down according to the calculation models used and by geographical area, to provide a global vision of capital consumption for this type of risk:

Table 74. Regulatory capital for Operational Risk

(Million euros)

Regulatory capital for
operational risk
2015 2014
Advanced 1,236 1,266
Spain 811 811
Mexico 425 455
Standardized 911 942
Basic 517 145
BBVA Group total 2,663 2,352

The main variations in the capital requirements for operational risk are due to:

  • Non-advanced approaches: In the standard downhill method (36 million) due to the combined effect of the exchange rate (mainly the devaluation of the Venezuelan currency). In the basic method, increase (372 million) with the increased holding in Garanti.

Chart 26. Required capital per method

3.8.7. The Group’s Operational Risk profile

BBVA’s operational risk profile is shown below by class of risk after assessing the risks, resulting in the following distribution:

Chart 27. BBVA Group's Operational Risk profile

The following charts illustrate the distribution of historical operational losses by risk class and country.

Chart 28. Operational Risk profile by risk and country

3.8.8. Main variations in the period

Table 75. Variations in the period in terms of RWAs for the Operational Risk

(Million euros)

Operational Risk
RWA’s Dec 14
29,038
Efectos Acquisitions and disposals 6,952
Foreign exchange movements 2,532
Other –167
RWA’s Dec 15
33,291
  • Acquisitions and disposals: Effect of the acquisition of Catalunya Banc (1,650 million euros) and the global consolidation of Garanti (5,300 million euros).
  • Exchange rate fluctuations: Caused mainly by the conversion of the Venezuelan currency at the closing exchange rate.

Tools