P.

83

2018 Pillar 3 Disclosures

Annex

The implementation of the Action Plans arising out

of the control weaknesses observed in previous

assessment processes will be checked, contrasting

the resolution of the control incidents observed,

and the Operational Risk Unit will ascertain that the

improvements performed have been incorporated into

the following assessment process.

The Operational Risk Unit must analyse events that

have given rise to losses and re-assess the processes

affected both positively (reduction in losses) and

negatively (increase in losses), and propose any

improvements deemed necessary to those in charge of

the activities/processes that have produced losses.

In addition, any events that affect the bank’s

reputation shall be reported to the Regulatory

Compliance Department so it can adopt the preventive

measures it deems appropriate.

3.4 Mitigation of operational

risk

The Compliance and Operational Risk Committee will

approve the strategies proposed by the Operational

Risk Unit in order to mitigate those risk levels

deemed unacceptable. These strategies may be of the

following kinds:

•

Improvement actions, which aim to reduce the

potential impact on the bank of the risks assumed.

These actions may consist in the development of new

controls, redesign of processes and development of

contingency and continuity plans.

•

Actions to transfer the risks to other banks, for

example by means of insurance of any risks which the

bank may face over a period of time.

•

Coverage or insurance of the risks, for example

by means of the use of provisions to cover the

impacts of the risks or financial hedging at the point

of impact.

•

Acceptance of the current situation, having deemed

that the risk profile is aligned with the situation

desired by senior management.

The Control/Mitigation Strategies must be agreed with

the supervisors of the areas affected if these processes

entail increased allocations of human or technical

resources or significant restructuring of the processes.

4. Compliance risk

The Regulatory Compliance Department has devised a

comprehensive compliance risk management system

comprising three levels:

•

Risk maps,

identifying obligations for which

compliance is controlled with an incorporated

methodology to assess risks on the basis of objective

criteria (possible penalty applied by the supervisory

authority, and probability of reputation impact as a

result of publication of the penalty).

•

Control map, setting out the controls to cover the

risks identified on the risk map.

•

Design of a reporting system

by means of

which the results obtained from the controls are

reported to the Compliance and Operational Risk

Committee, in order for appropriate corrective

measures to be adopted. The annual reports on

compliance activities are also presented to the

Audit Committee.

5. Risk in equity

instruments not included

in the trading book

The bank maintains positions in equity instruments

not included in its trading book. These positions are

investments in entities that are held, generally, for

strategic purposes.

Monitoring of these positions is integrated into ordinary

risk management circuits.

Section 6 of this document includes information

on these instruments and the capital requirements

deriving from them.

6. Interest-rate risk in the

banking book

The structural interest-rate risk in the balance sheet

may be defined as the exposure of the financial and

economic situation and, thus, movements in interest

rates as a result of the differing time frames of

maturities and repricing of the overall balance sheet

entries. This risk comprises a substantial part of the

banking business, and could have a major impact on

the financial margin and economic value of capital.

A|A.I