P.
82
2018 Pillar 3 Disclosures
Annex
The risk identification processes will be carried out
through a permanent working group which, in addition
to the risk control units, will feature the participation
of Internal Audit, Organisation, and the person
responsible for the activity or service to analyse. It will
also systematically identify the relevant risks that may
arise as a result of external or internal changes and it
will include risk indicators that enable the risk to be
assessed, directly reflecting the quality of operational
environments and effective control.
A rigorous and systematic record is kept of all events
which have generated operational losses at the bank.
This record is maintained separate from accounting
information records and integrated with all other
operational risk management procedures.
Any losses due to operational risk shall be classified,
according to the categories established in Regulation
(EU) no. 575/2013, as internal fraud, external fraud,
sales practices, labour relations, damage to physical
assets, technological faults and process errors.
The events will be stored in a database for losses,
identifying their source, occurrence, posting date and
recoveries, where applicable, among other aspects.
The development of new activities, products or
systems requires the identification and assessment of
the inherent risks associated with them.
The risk control units will inform the Compliance and
Operational Risk Committee when it is deemed that
an excessive inherent risk is incurred, in order for this
Committee to issue specific preventive measures to
be taken or to advise against the launch of the new
activity or product.
3.2 Self-assessment and
measurement of operational
risk
The Operational Risk Unit will develop an internal
model for qualitative assessment. The assessment model
shall be well documented and integrated within the
operational risk management processes of the bank, and
its results shall be an integral part of the operational
risk profile control and monitoring process of the bank.
The risks and mitigation control points shall be subject
to systematic assessments in order to obtain the existing
residual operational risk in activities, systems and
products, employing quantitative techniques for this
purpose. A residual risk is understood to be the part of
the risk not covered by means of the internal control
structure of the bank or insurance arranged with third
parties. In other words, the part of the risk which with
a certain degree of probability could have a negative
impact. The profile obtained is compared against the
desired profile, in order to initiate the appropriate
corrective actions.
Quantitative assessment will check that the basic internal
control factors of the bank that have been identified
reflect the quality of internal control and contribute
to immediately acknowledging improvements and
deteriorations observed in the operational risk profile.
The assessment process identifies potential increases in
risk attributable to internal or external sources.
The assessments will be subject to frequent comparison
processes based on the results of the controls conducted
by the second and third-level control units.
The results obtained in the assessment are binding. The
persons responsible for each activity, product or service
will take part in the assessment procedure, and the
Area Managers will validate the assessment provided by
the headship under their responsibility.
3.3 Monitoring operational risk
In the monitoring phase, all the variables defined for the
identification and assessment of risks will be reviewed,
with the aim of ensuring and supporting consistency in
the assessment/measurement process in the various
areas; assessing the quality and appropriateness of the
mitigation techniques applied; and guaranteeing that
the premises established in the initial identification/
assessment model are kept constant.
Parameters will be set for the risk indicators within
certain thresholds, generating alerts that warn about
changes in the evolution of the risk. These alerts will
be analysed by comparing their values during the
last three measurement periods to the thresholds
established in their configuration. Depending on the
result of said analysis, the corresponding Area shall be
approached, where applicable, to justify the increased
exposure to the risk, and the decision will be reached
on whether any additional controls will be required for
their mitigation or whether the current situation of the
business leads to the conclusion of modifying of the
defined thresholds.
A|A.I