Operational risk & controls The way for a more integrated approach 3rd FEBRABAN International Operational Risk

Seminar

Jean-Marie SAVIN Sao Paulo 13th May 2010

BNP Paribas Group

FEBRABAN Operational risk conference

| 13th May 2010|

BNP Paribas Group

Business Mix
(Allocated capital as at 31/12/2009 including Fortis Broken down pro-forma)

A diversified business mix with a strong

footprint in retail banking Retail banking
Branch banking
4 domestic markets (F, I, Be, Lu) Strong presence in many other countries (West US, Po, Tu, Mediterrean .

Specialized retail banking activites

Geographic Mix
(2009 Revenues including Fortis broken down pro-forma

Personal Finance Leasing and fleet services

Corporate & Investment Banking

Financing Capital Markets

Investment solutions
Asset & Wealth Management Insurance Securities services Real Estate Services

FEBRABAN Operational risk conference

| 13th May 2010|

Context

Regulations

RISKS

CONTROLS GOVERNANCE

COMPLIANCE

Environment ..
FEBRABAN Operational risk conference | 13th May 2010| 4

Operational risk management at BNP Paribas

An appropriate organization

An integrated framework

An enhanced governance

FEBRABAN Operational risk conference

| 13th May 2010|

An appropriate organization

From 2002 Emergence of an Operational Risk function within Risk 2005 Widening of Compliance scope from Ethics to Compliance to
rules and procedures 2005 Emergence of a coordination function on Permanent Controls,
further to a new French regulation, placed under the Compliance scope organizing the overall control framework whatever the risk

To 2007 A grouping together of operational risk and controls

framework, under the umbrella of Compliance but also part of the Risk stream

FEBRABAN Operational risk conference

| 13th May 2010|

An appropriate organization
A three line of defense model Internal Control Charter Business managers are the primary accountable of the risk they generate
Operational Permanent Control

A second look / second line of defense oversees and challenges

the risk taken by the businesses the risk & control management framework Dedicated functions Finance, Legal, Compliance, Risk. + Oversight of Operational Permanent Control

A third and fully independant line performs audits

Type of control Line of defense Controller

1
Permanent

Field Line Management Permanent Control functions

Operational entities

2
Periodic

Permanent Control functions Group Functions

Internal Audit

FEBRABAN Operational risk conference

| 13th May 2010|

Operational risk management at BNP Paribas

An appropriate organization

An integrated framework

An enhanced governance

FEBRABAN Operational risk conference

| 13th May 2010|

A global framework

Reporting M o n i t o r i n g

Risk
quantification

Procedures Organization

Verifications

Risks identification and assessment

FEBRABAN Operational risk conference

| 13th May 2010|

Risk identification & assessment

The cornerstone of an Operational Permanent Control framework which helps to

define where and at which level measures should be taken in order to monitor and prevent risks A formal approach through risks characteristics analysis, assessments, key indicators, controls, .
Taking into account key regulatory requirements, as pointed out by Legal and/or Compliance Methodically and with tracking documentation

Which participates to the definition of the risk tolerance And allows to justify, organize and prioritize the set up that is (or to be)
implemented,
Risk quantifications (scenarios) Organization (and specifically segregation of duties) Procedures Controls Specific anti fraud programs Actions plan

A common minimum framework at group level A specific care for new activity / new product / new process validation committee
FEBRABAN Operational risk conference | 13th May 2010| 10

Risk Quantification: AMA model overview

Capital Allocation
Capital
Annual aggregated loss distribution

Calculation engine

Reporting
Distributions Simulations

Extreme risks Potential Incidents + Historical Incidents Common risks

Potential Incidents
Procedures Organization

Historical Incidents

Scenario analysis

Controls

Business Environment and Internal Control Factors

M o n i t o r i n g

Risks identification and assessment

External losses

FEBRABAN Operational risk conference

| 13th May 2010|

11

Risk Quantification: BNP Paribas AMA Model components

Risk Quantification: a key element to better understand what is at stake: comprehensive collection of historical incidents and, for the most significant entities, quantification of potential incidents (forward looking analysis) Mixed model: Use of both Potential and Historical Incidents Priority given to Potential Incidents Potential Incidents (PI): 2 cases: Likely Case (LC) and Worst Case (WC) Encompass scenarios, Business Environment and Internal Control Factors and external data Methodology :
PI identification and selection / risk map PI analysis and quantification
Bottom up Top down

Consistency criteria between LC and WC

Historical Incidents: Lower and most frequent risks are represented by Historical Incident rather than Potential Incident Exclusion of risks already and consistently represented by Potential Incident Exclusion of no longer relevant risks, on the condition of justification Replacement of outliers historical incidents by Potential Incidents Capital quantification aimed at management decisions, through feed back on risk identification and assessment process Should triger controls and action plans

FEBRABAN Operational risk conference

| 13th May 2010|

12

Procedures, Organization and Controls

Procedures & organization : Specific attention to organizational issues,

such as segregation of duties and link with access right management

Check lists of procedures to be rolled out Dedicated follow up indicators

Verifications: A systematic approach, controls stem from the own risk assessment carried out by the entities and analysis of risks causes Verifications/controls have to be commensurated to the risks, depending on the risk appetite of the management : the greater the risk, the greater the intensity of the control definition of generic control plans per process at group or business line level, to be then customized / enriched at local entity level

FEBRABAN Operational risk conference

| 13th May 2010|

13

Operational risk management at BNP Paribas

An appropriate organization

An integrated framework

An enhanced governance

FEBRABAN Operational risk conference

| 13th May 2010|

14

An enhanced governance

Driving principle Management is accountable for risk management

Risk tolerance should be formalized Risk mitigation action should be evidenced

Management involvement should be: Top down: top management should set the tone Bottom up: issues should be dealt with locally and only concerns or
anomalies should be escalated as necessary
Top management has to be alerted whenever required

Transversal: The overall control process should be considered as a

whole and not only ones own scope of responsibility
Link with other types of risk

FEBRABAN Operational risk conference

| 13th May 2010|

15

An enhanced governance

A useful practice: Internal Control Committee Designed for decision / action

Involving executive management With attendance of Risk / Compliance

With a standard agenda

Legal / Regulatory watch Analysis of op. risks incidents: actual or potential Analysis of risk indicators and verifications output Risk mitigations actions follow up.

FEBRABAN Operational risk conference

| 13th May 2010|

16

An enhanced governance

A half yearly group wide reporting Guided by a standard dashboard and some key topics Aimed at pointing out key risks or weaknesses
And mitigation plans

With a formal sign off of the Head of the Entity

Proper risk disclosure Proper Operational Risk incident collection Proper formalization of potential risk

Submitted to Internal control Committee

And on an aggregated basis, to Group Exco and Board

FEBRABAN Operational risk conference

| 13th May 2010|

17

An enhanced governance

A more stringent oversight A shared referential of guidelines against which to benchmark entities A formalized supervision process
On every element of the framework On compliance with guidelines On risk identification and assessments performed by businesses

Relying on
Group teams
Critical risks or entities Entities rolling out AMA or newly joining the group

Dedicated businesses teams

Scorings implying consequences on prudential reportings or

calculations

FEBRABAN Operational risk conference

| 13th May 2010|

18

Operational risk management at BNP Paribas

Some achievements But still so more to do

Capture the changes in envirnoement, activities, processes, . Strengthen buy in Keep granularity relevant Manage transversally of risks & controls, especially with credit & market risks

Develop ability to think out of the box

FEBRABAN Operational risk conference

| 13th May 2010|

19