P.

82

2018 Pillar 3 Disclosures

Annex

The risk identification processes will be carried out

through a permanent working group which, in addition

to the risk control units, will feature the participation

of Internal Audit, Organisation, and the person

responsible for the activity or service to analyse. It will

also systematically identify the relevant risks that may

arise as a result of external or internal changes and it

will include risk indicators that enable the risk to be

assessed, directly reflecting the quality of operational

environments and effective control.

A rigorous and systematic record is kept of all events

which have generated operational losses at the bank.

This record is maintained separate from accounting

information records and integrated with all other

operational risk management procedures.

Any losses due to operational risk shall be classified,

according to the categories established in Regulation

(EU) no. 575/2013, as internal fraud, external fraud,

sales practices, labour relations, damage to physical

assets, technological faults and process errors.

The events will be stored in a database for losses,

identifying their source, occurrence, posting date and

recoveries, where applicable, among other aspects.

The development of new activities, products or

systems requires the identification and assessment of

the inherent risks associated with them.

The risk control units will inform the Compliance and

Operational Risk Committee when it is deemed that

an excessive inherent risk is incurred, in order for this

Committee to issue specific preventive measures to

be taken or to advise against the launch of the new

activity or product.

3.2 Self-assessment and

measurement of operational

risk

The Operational Risk Unit will develop an internal

model for qualitative assessment. The assessment model

shall be well documented and integrated within the

operational risk management processes of the bank, and

its results shall be an integral part of the operational

risk profile control and monitoring process of the bank.

The risks and mitigation control points shall be subject

to systematic assessments in order to obtain the existing

residual operational risk in activities, systems and

products, employing quantitative techniques for this

purpose. A residual risk is understood to be the part of

the risk not covered by means of the internal control

structure of the bank or insurance arranged with third

parties. In other words, the part of the risk which with

a certain degree of probability could have a negative

impact. The profile obtained is compared against the

desired profile, in order to initiate the appropriate

corrective actions.

Quantitative assessment will check that the basic internal

control factors of the bank that have been identified

reflect the quality of internal control and contribute

to immediately acknowledging improvements and

deteriorations observed in the operational risk profile.

The assessment process identifies potential increases in

risk attributable to internal or external sources.

The assessments will be subject to frequent comparison

processes based on the results of the controls conducted

by the second and third-level control units.

The results obtained in the assessment are binding. The

persons responsible for each activity, product or service

will take part in the assessment procedure, and the

Area Managers will validate the assessment provided by

the headship under their responsibility.

3.3 Monitoring operational risk

In the monitoring phase, all the variables defined for the

identification and assessment of risks will be reviewed,

with the aim of ensuring and supporting consistency in

the assessment/measurement process in the various

areas; assessing the quality and appropriateness of the

mitigation techniques applied; and guaranteeing that

the premises established in the initial identification/

assessment model are kept constant.

Parameters will be set for the risk indicators within

certain thresholds, generating alerts that warn about

changes in the evolution of the risk. These alerts will

be analysed by comparing their values during the

last three measurement periods to the thresholds

established in their configuration. Depending on the

result of said analysis, the corresponding Area shall be

approached, where applicable, to justify the increased

exposure to the risk, and the decision will be reached

on whether any additional controls will be required for

their mitigation or whether the current situation of the

business leads to the conclusion of modifying of the

defined thresholds.

A|A.I