NATIXIS - Universal registration document and financial report 2019
3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management
Operational risk monitoring 3.2.6.3 Risk mapping Risk mapping is central to operational risk monitoring: Business line and support function environment
Evaluation of the control environment
Analysis of the change KP TKUM RTQƒNG QH VJG business lines and support functions
+PEKFGPVU YKVJ ƒPCPEKCN legal and regulatory impacts
Qualitative evaluation of business line and support function controls
Qualitative evaluation of business line and support function policies and procedures
Qualitative evaluation QH VJG *4 RTQƒNG QH VJG support functions
KRI
Controls
P&P
HR
Incidents
Quantitative backtesting
Qualitative evaluation of business line and support function risks by their owners
Mapping
Reduction measures
RMS
Net risk
Gross risk
RSA
Reduction measures
Regulatory environment / Compliance
Financial industry environment
Local and international regulations
Non-compliance risks
'ZVGTPCN FCVCDCUG 2WDNKE KPEKFGPVU since 1995
Scenario
analysisis
Incidents
KRI: Key risk indicator RMS: Risk management system RSA: Risk self-assessment HR: Human Resources P&P: Policies and Procedures
regularly. KRIs dynamically detect any changes in the operational risk profile and cover the seven Basel categories of loss-generating events. They apply either to Natixis (overall indicators), to the business lines, or to the support functions that, with the operational risk manager, set the indicators as relevant early warning indicators during the mapping process. These indicators are submitted to the Operational Risk Committee for approval. Any breach of their thresholds, that is the subject of a systematic alert, may trigger action to be carried out immediately or requiring Committee approval. Incidents are recorded as they occur, starting from an optional reporting threshold of €5,000 for the Corporate & Investment Banking and Asset Management business lines, and €1,500 for Payments, Insurance and Wealth Management. A single definition of “serious incident” is used, in compliance with Groupe BPCE standards (€300,000 gross). All serious incidents (above the defined threshold or deemed serious by the business line and the Head of the Operational Risk Department) are reported immediately to the business line’s management and to Natixis’ Chief Risk Officer. Identifying losses and incidents Recording and analyzing incidents
Every year the department in charge of monitoring operational risks, in conjunction with the other control functions, works with each business line, entity and support function to map operational risks. The exercise involves identifying and descriptively analyzing risks, quantifying the risk situations (average frequency, average and maximum loss), and taking into account existing risk management mechanisms. This mapping is based on process analysis and is carried out for all the bank’s activities. Its consistency is verified through backtesting, in other words by using the incident history, as well as external data where relevant. The risk mapping process serves to identify Natixis’ exposed business lines and its biggest risks in order to be able to manage them through corrective action and indicators. The mapping of “global and systemic risks” (extreme risk situations occurring infrequently, such as major natural disasters, pandemics, and attacks) draws on external data on incidents in the financial industry, especially for establishing frequency. Also factored in are assumptions on unrealized net revenue items and the effectiveness of risk management mechanisms, as well as contingency and business continuity plans. In addition to risk mapping, there are over 610 key risk indicators (KRIs) in place with corresponding limits, and which are monitored
136
NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2019
Made with FlippingBook Annual report