7/28/2019 Jean Marie Savin
1/19
7/28/2019 Jean Marie Savin
2/19
| 13th May 2010|FEBRABAN Operational risk conference 2
BNP Paribas Group
7/28/2019 Jean Marie Savin
3/19
| 13th May 2010|FEBRABAN Operational risk conference 3
BNP Paribas Group
A diversified business mix with a strongfootprint in retail banking
Retail banking
Branch banking 4 domestic markets (F, I, Be, Lu)
Strong presence in many othercountries (West US, Po, Tu,Mediterrean .
Specialized retail banking activites Personal Finance
Leasing and fleet services
Corporate & Investment Banking Financing
Capital Markets
Investment solutions Asset & Wealth Management
Insurance
Securities services
Real Estate Services
Geographic Mix(2009 Revenues including Fortis broken down pro-forma
Business Mix(Alloc ated capital as at 31/12/2009
including Fortis Broken down pro-forma)
7/28/2019 Jean Marie Savin
4/19
| 13th May 2010|FEBRABAN Operational risk conference 4
Context
RISKS COMPLIANCECONTROLS
GOVERNANCE
Regulations
Environment ..
7/28/2019 Jean Marie Savin
5/19
7/28/2019 Jean Marie Savin
6/19
| 13th May 2010|FEBRABAN Operational risk conference 6
An appropriate organization
From
2002 Emergence of an Operational Risk function within Risk
2005 Widening of Compliance scope from Ethics to Compliance torules and procedures
2005 Emergence of a coordination function on PermanentControls,
further to a new French regulation,
placed under the Compliance scope
organizing the overall control framework whatever the risk
To
2007 A grouping together of operational risk and controlsframework, under the umbrella of Compliance but also part of the
Risk stream
7/28/2019 Jean Marie Savin
7/19
| 13th May 2010|FEBRABAN Operational risk conference 7
An appropriate organization
A three line of defense model Internal Control Charter
Business managers are the primary accountable of the risk they generateOperational Permanent Control
A second look / second line of defense oversees and challenges
the risk taken by the businesses the risk & control management framework
Dedicated funct ions Finance, Legal, Compliance, Risk.+ Oversight of Operational Permanent Control
A third and fully independant line performs audits
Operational entities
Group Functions
Type of cont rol
Line
of
defense
Controller
Permanent
Field
Line Management
Permanent Control functions
Internal Audi tPeriodic
1
2
3
Permanent Control functions
7/28/2019 Jean Marie Savin
8/19
| 13th May 2010|FEBRABAN Operational risk conference 8
An appropriate organization
An integrated framework
An enhanced governance
Operational risk management at BNP Paribas
7/28/2019 Jean Marie Savin
9/19
| 13th May 2010|FEBRABAN Operational risk conference 9
A global framework
Risks identification and assessment
Mo
n
i
t
o
r
i
n
g
Reporting
Risk
quantification
Procedures
Organization
Verifications
7/28/2019 Jean Marie Savin
10/19
| 13th May 2010|FEBRABAN Operational risk conference 10
Risk identification & assessment
The cornerstone of an Operational Permanent Control framework which helps todefine where and at which level measures should be taken in order to monitor andprevent risks
A formal approach through risks characteristics analysis, assessments, keyindicators, controls, .
Taking into account key regulatory requirements, as pointed out by Legal and/orCompliance
Methodically and with tracking documentation
Which participates to the definition of the risk tolerance And allows to justify, organize and prioritize the set up that is (or to be)
implemented, Risk quantifications (scenarios)
Organization (and specifically segregation of duties)
Procedures
Controls
Specific anti fraud programs
Actions plan
A common minimum framework at group level
A specific care for new activity / new product / new process validation committee
7/28/2019 Jean Marie Savin
11/19
| 13th May 2010|FEBRABAN Operational risk conference 11
M
o
n
i
t
o
r
i
ng
Reporting
Procedures
Organization Controls
Risks identification and assessment
Potential
IncidentsExtreme risks
Potential
Incidents
+
Historical
Incidents
Common risks
Calculation
engine
Distributions
Simulations
Annual
aggregated loss
distribution
Capital
Capital Allocation
Historical
Incidents
External
losses
Scenario analysis
Business Environment
and Internal Control
Factors
Risk Quantification: AMA model overview
7/28/2019 Jean Marie Savin
12/19
| 13th May 2010|FEBRABAN Operational risk conference 12
Risk Quantification:
BNP Paribas AMA Model components
Risk Quantification: a key element to better understand what is at stake:
comprehensive collection of historical incidents and, for the most significant entities, quantification of potential incidents (forward looking analysis)
Mixed model:
Use of both Potential and Historical Incidents Priority given to Potential Incidents
Potential Incidents (PI):
2 cases: Likely Case (LC) and Worst Case (WC) Encompass scenarios, Business Environment and Internal Control Factors and external data Methodology :
PI identification and selection / risk map PI analysis and quantification Bottom up Top down
Consistency criteria between LC and WC
Historical Incidents:
Lower and most frequent risks are represented by Historical Incident rather than Potential Incident Exclusion of risks already and consistently represented by Potential Incident Exclusion of no longer relevant risks, on the condition of justification Replacement of outliers historical incidents by Potential Incidents
Capital quantification aimed at management decisions, through feed back on risk identification and assessment process
Should triger controls and action plans
7/28/2019 Jean Marie Savin
13/19
| 13th May 2010|FEBRABAN Operational risk conference 13
Procedures, Organization and Controls
Procedures & organization :
Specific attention to organizational issues, such as segregation of duties and link with access right management
Check lists of procedures to be rolled out Dedicated follow up indicators
Verifications: A systematic approach,
controls stem from the own risk assessment carried out by the entities andanalysis of risks causes
Verifications/controls have to be commensurated to the risks, depending onthe risk appetite of the management : the greater the risk, the greater theintensity of the control
definition of generic control plans per process at group or business line
level, to be then customized / enriched at local entity level
7/28/2019 Jean Marie Savin
14/19
7/28/2019 Jean Marie Savin
15/19
| 13th May 2010|FEBRABAN Operational risk conference 15
An enhanced governance
Driving principle
Management is accountable for risk management
Risk tolerance should be formalized Risk mitigation action should be evidenced
Management involvement should be:
Top down: top management should set the tone
Bottom up: issues should be dealt with locally and only concerns oranomalies should be escalated as necessary
Top management has to be alerted whenever required
Transversal: The overall control process should be considered as a
whole and not only ones own scope of responsibility Link with other types of risk
7/28/2019 Jean Marie Savin
16/19
| 13th May 2010|FEBRABAN Operational risk conference 16
An enhanced governance
A useful practice: Internal Control Committee
Designed for decision / action
Involving executive management With attendance of Risk / Compliance
With a standard agenda
Legal / Regulatory watch
Analysis of op. risks incidents: actual or potential
Analysis of risk indicators and verifications output
Risk mitigations actions follow up.
7/28/2019 Jean Marie Savin
17/19
7/28/2019 Jean Marie Savin
18/19
| 13th May 2010|FEBRABAN Operational risk conference 18
An enhanced governance
A more stringent oversight
A shared referential of guidelines against which to benchmark entities
A formalized supervision process On every element of the framework On compliance with guidelines
On risk identification and assessments performed by businesses
Relying on
Group teams
Critical risks or entities
Entities rolling out AMA or newly joining the group
Dedicated businesses teams
Scorings implying consequences on prudential reportings orcalculations
7/28/2019 Jean Marie Savin
19/19
| 13th May 2010|FEBRABAN Operational risk conference 19
Some achievements
But still so more to do
Capture the changes in envirnoement, activities, processes, .
Strengthen buy in
Keep granularity relevant Manage transversally of risks & controls, especially with credit &market risks
Develop ability to think out of the box
Operational risk management at BNP Paribas