2007 REGISTRATION DOCUMENT
2007 REGISTRATION DOCUMENT 2007 REGISTRATION DOCUMENT
3 RiskRISK MANAGEMENTmanagement frameworkOPTIMUM ORGANISATIONAL STRUCTUREIn 2007 the units responsible for setting the operational risk framework,conducting permanent controls and coordinating business continuityplans were merged in an attempt to streamline and optimise internalcontrol procedures. The new unit will be responsible for both measuringand managing operational risk. It will define, coordinate and monitorthe Group’s operational risk, permanent controls and business continuityframeworks, and produce the appropriate risk measures and managementdata.The unit will work in line with a unified, five-tier approach based on:■ analysing risks;■ implementing preventive and/or mitigating tools including procedures,controls, business continuity plans and insurance;■ producing risk measures and calculating the capital charge foroperational risk (used to determine tolerance levels and consolidatedexposure);■ reporting and analysing information (used in validating controls andmanaging risk);■ formulating action plans to prevent and/or remedy risks, togetherwith follow-up procedures.This approach involves a two-way vertical information flow (bottom upand top down) which ensures that data is provided to the competent levelof the organisation for review, validation and decision-making purposes.It also functions as a loop, ensuring that due account has been takenof changes in the environment and that control procedures have beenadjusted accordingly.KEY PLAYERS AND GOVERNANCEAt all levels of the Group (core businesses, functions, business lines,subsidiaries and territories), the risk management framework relies onteams of operational risk analysts and coordinators of permanent controlsand business continuity plans. These teams head up the operational riskmanagement process falling within their particular remit, and ensurethat the standard operational risk policy and related methodologies andtools are properly implemented. They have a particularly important rolein risk analysis and risk reporting.The entire system requires significant involvement of operational staff.Issues that arise in relation to operational risk, permanent controls andbusiness continuity are discussed with the Group’s Executive Committeethree times a year, and with the Internal Control Coordination Committeeevery month. This committee is chaired by the Internal Control Coordinatorand brings together key players in the internal control process. Groupcompanies are encouraged to adopt this governance structure in theirown organisations.Executive Committees at the level of the Group and the core businessesare tasked with ensuring that operational risk is effectively managedand controlled in the areas falling within their remit, in accordance withthe Group’s operational risk framework. The committees are responsiblefor validating the quality and consistency of reporting data and forexamining the risk profile adopted in light of the tolerance levels setby either the committees themselves or the Group. They also assess thequality of risk control procedures in light of their objectives and therisks they incur.RISK ANALYSISA large number of people are involved in the risk analysis process, fromstaff heading up the operational risk management framework throughto their business line operating managers. Operational risk is analysedon the basis of historical data and prospective scenarios.Historical data: operational risk data has been systematically compiledsince the beginning of 2002, with the process subsequently rolled outto all of the Group’s business lines and territories and enhanced by dataquality reviews and certification procedures. The analysis and followupof operational risk data are key to identifying the actions needed toprevent incidents from recurring in the future.Prospective scenarios: the Group adopts an integrated approach tomodelling risks and analysing potential incidents, based on an analysis ofits internal processes. A qualitative analysis of the causes, correspondingcontrols and impact of operational risk incidents is carried out foreach process, with the results quantified and input into the internalcapital calculation model. The analysis highlights the Group’s mainrisk exposures and enables the organisation to identify the necessaryremedial actions.The analysis of actual and potential operational risks is therefore a keycomponent of the risk management process. It helps identify factorsthat may prevent or mitigate such risks, particularly the need for new oradjusted control procedures and business continuity plans. In turn, therisk analysis process is enhanced by the review of control procedures andbusiness continuity plans. The analysis of the “risk – controls – businesscontinuity plan” chain is therefore designed as a loop in order to optimisethe Group’s operational risk management framework.LEGAL, TAX AND INFORMATION TECHNOLOGYRISKS RELATING TO OPERATIONAL RISKLegal risk< Contents >In each country where it operates , BNP Paribas is bound by specific localregulations applicable to companies engaged in banking, insurance andfinancial services. The Group is notably required to respect the integrityof the markets and the primacy of clients’ interests.For many years, the Group Legal Department function has had an internalcontrol system designed to anticipate, detect, measure and managelegal risks.The system is organised around:■ Specific committees:■ the Legal Affairs Committee,■ the Global Legal Committee, which coordinates the activities ofthe legal function throughout the Group in all countries that havetheir own legal staff, and ensures that the Group’s legal policiesare consistent and applied in a uniform manner,■ the Legislation Tracking Committee, which analyses, interpretsand distributes throughout the Group the texts of new laws andregulations, and details of changes in French and European caselaw,■ the Legal Internal Control Committee, whose focuses includeoperational risk,■ the Litigation Committee, which deals with major litigationproceedings in which the Group is the plaintiff or defendant,■ the Legal function is a permanent member of the ComplianceCommittee and the Internal Control Coordination Committee;1234567891011762007 Registration document - BNP PARIBAS
RISK MANAGEMENT3Risk management framework■ internal procedures and databases providing a framework for(i) managing legal risk, in close collaboration with the Compliancefunction for all matters which also fall under their responsibility, and(ii) overseeing the activities of the Group’s legal staff. At the endof 2004, a procedures database detailing all internal procedures inFrench and in English was set up on the Group intranet with accessrights for all employees;■ legal reviews, which are carried out in Group entities to ensure thatlocal systems for managing legal risks are appropriate, procedures areproperly applied, and tools correctly used. Regular visits are made,particularly to countries deemed the most vulnerable, in order tocheck the effectiveness of the systems developed by internationalunits for managing legal risks;■ internal reporting tools, document templates and analytical models,which are upgraded on an ongoing basis by Group Legal Departmentand contribute to the analysis of operational risk.The Legal function was reorganised at the end of 2007 to allow increasedoversight of the Group’s Legal Department and bring front-line legalstaff closer to the core businesses and divisions. The reorganisationmeans that legal risks can be managed more effectively, both withinand outside France.Tax riskIn each country where it operates , BNP Paribas is bound by specific localtax regulations applicable to companies engaged for example in banking,insurance or financial services.The Group Tax Department is a global function, responsible for overseeingthe consistency of the Group’s tax affairs. It also shares responsibility formonitoring global tax risks with Group Finance and Development. TheGroup Tax Department performs second-tier controls to ensure that taxrisks remain at an acceptable level and are consistent with the Group’sreputation and profitability objectives.To ensure its mission, the Group Tax Department has established:■ a network of dedicated tax specialists in 12 countries completed by taxcorrespondents covering other countries where the Group operates;■ a qualitative data reporting system in order to manage tax risks andassess compliance with local tax laws;■ regular reporting to Group Executive Management on the use made ofdelegations of authority and compliance with internal standards.The Group Tax Department co-chaured the Tax Coordination Committeechaired by Group Finance and Development. The Tax CoordinationCommittee also includes the Compliance function and may involvethe core businesses when appropriate. The committee is responsible foranalysing key tax issues for the Group and making appropriate decisions.Group Finance and Development is obliged to consult the Group TaxDepartment on any tax issues arising on transactions processed.The Group Tax Department has also drawn up procedures covering allcore businesses, designed to ensure that tax risks are identified, addressedand controlled appropriately. Tax risks may arise at Group level or fromspecific customer product or service offerings developed by the Group’sentities. To ensure these risks are addressed effectively, the Group TaxDepartment relies among other on:■ the tax risk management framework. The tax risk charter is presentedin the form of a mission letter for the territory tax manager whenthere is one or in the form of a mission letter for the Group TaxDepartment authority to the head of core business with regard toentities that do not have a dedicated tax manager. The latest isupdated regularly to reflect changes in the charter applicable toTerritory Chief Executives;■ procedures for validation by the Group Tax Department for all newproducts featuring a material tax component, together with all newactivities and “specific” transactions structured in France or abroad;■ procedures for procuring independent tax advice;■ definition of operational tax risk incidents and their common filingand reporting;■ definition and disclosure of groupwide tax rules and regulations, andvalidation of any framework agreement or internal circular/documentpresenting specific tax issues;■ tax audit reporting procedures;■ control procedures relating to the delivery of tax opinions andadvice.Information security< Contents >Information is a bank’s key commodity and effective management ofinformation security risk is vital in an era of near full-scale migration toelectronic media, growing demand for swift online processing of evermore sophisticated transactions, and widespread use of the internetor multiple networks as the primary interface between a bank and itsindividual or institutional customers.Incidents reported in different countries involving banking and credit cardindustries highlight the increased need for vigilance. This topic has beenreiterated by regulations and case law on data protection.Information security at BNP Paribas is managed in accordance with aseries of Group security policies rolled down to each individual businessline. These policies take into account any regulatory requirements andthe risk appetite of the business in question, and are governed by theGroup’s general security policy which draws on ISO 27001 (formerlyISO 17799). Each business line manages information security in the sameway, based on common objective indicators, periodic controls, residualrisk assessments and action plans. This approach is part of the permanentand periodic control framework set up for each banking activity pursuantto CRBF regulation 97-02 (amended in 2004) in France and similarregulations in other countries.Each of BNP Paribas’ business lines is exposed to some specific formof information security risk, with some risks common to all businesses.The Group’s policy for managing these risks takes into consideration thespecific nature of the business, often made more complex by legallyand culturally-specific regulations in the different countries in whichthe Group does business.Like most global banking players, the Group’s online retail bankingbusinesses suffered a number of phishing/pharming attacks in 2007, asin previous years. All large-scale attacks were countered, with no harmwhatsoever to our customers, thanks to the continuing reinforcementof existing awareness, prevention, detection and remedial measures.Although we did not see a significant rise in either the number or type ofattacks over the year, the Group’s businesses remain vigilant and continueto invest in measures that will allow them to keep one step ahead ofsecurity threats without increasing complexity for the internet user. Inall countries where it has retail banking operations, BNP Paribas playsan active role in raising users’ awareness of the intrinsic dangers of theinternet and of the key measures that can be taken to mitigate thesedangers, by establishing a direct dialogue with customers and workingclosely alongside public authorities and professional or communityassociations.12345678910112007 Registration document - BNP PARIBAS 77
- Page 28 and 29: 1 ShareholderTHE BNP PARIBAS GROUPi
- Page 30 and 31: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 32 and 33: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 34 and 35: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 36 and 37: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 38 and 39: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 40 and 41: 2 BoardCORPORATE GOVERNANCEof Direc
- Page 42 and 43: 2 ReportCORPORATE GOVERNANCEof the
- Page 44 and 45: 2 ReportCORPORATE GOVERNANCEof the
- Page 46 and 47: 2 ReportCORPORATE GOVERNANCEof the
- Page 48 and 49: 2 ReportCORPORATE GOVERNANCEof the
- Page 50 and 51: 2 ReportCORPORATE GOVERNANCEof the
- Page 52 and 53: 2 ReportCORPORATE GOVERNANCEof the
- Page 54 and 55: 2 ReportCORPORATE GOVERNANCEof the
- Page 56 and 57: 2 ReportCORPORATE GOVERNANCEof the
- Page 58 and 59: 2 ReportCORPORATE GOVERNANCEof the
- Page 60 and 61: 2 ReportCORPORATE GOVERNANCEof the
- Page 62 and 63: 2 ReportCORPORATE GOVERNANCEof the
- Page 64 and 65: 2 ReportCORPORATE GOVERNANCEof the
- Page 66 and 67: 2 StatutoryCORPORATE GOVERNANCEAudi
- Page 68 and 69: Contents >1234567891011662007 Regis
- Page 70 and 71: 3RISK MANAGEMENT< Contents >3.4 Ris
- Page 72 and 73: 3 RiskRISK MANAGEMENTfactorsLIQUIDI
- Page 74 and 75: 3 RiskRISK MANAGEMENTfactorsDETERIO
- Page 76 and 77: 3 RiskRISK MANAGEMENTmanagement fra
- Page 80 and 81: 3 RiskRISK MANAGEMENTmanagement fra
- Page 82 and 83: 3 RiskRISK MANAGEMENTexposure in 20
- Page 84 and 85: 3 RiskRISK MANAGEMENTexposure in 20
- Page 86 and 87: 3 RiskRISK MANAGEMENTmitigation tec
- Page 88 and 89: Contents >1234567891011862007 Regis
- Page 90 and 91: 4 Consolidated2007 REVIEW OF OPERAT
- Page 92 and 93: 4 Core2007 REVIEW OF OPERATIONSbusi
- Page 94 and 95: 4 Core2007 REVIEW OF OPERATIONSbusi
- Page 96 and 97: 4 Core2007 REVIEW OF OPERATIONSbusi
- Page 98 and 99: 4 Core2007 REVIEW OF OPERATIONSbusi
- Page 100 and 101: 4 Balance2007 REVIEW OF OPERATIONSs
- Page 102 and 103: 4 Balance2007 REVIEW OF OPERATIONSs
- Page 104 and 105: 2007 REVIEW OF OPERATIONS4 Outlook<
- Page 106 and 107: 2007 REVIEW OF OPERATIONS4 OutlookA
- Page 108 and 109: Contents >12345678910111062007 Regi
- Page 110 and 111: 5CONSOLIDATED FINANCIAL STATEMENTS<
- Page 112 and 113: 5 ProfitCONSOLIDATED FINANCIAL STAT
- Page 114 and 115: 5 StatementCONSOLIDATED FINANCIAL S
- Page 116 and 117: 5 StatementCONSOLIDATED FINANCIAL S
- Page 118 and 119: 5 NotesCONSOLIDATED FINANCIAL STATE
- Page 120 and 121: 5 NotesCONSOLIDATED FINANCIAL STATE
- Page 122 and 123: 5 NotesCONSOLIDATED FINANCIAL STATE
- Page 124 and 125: 5 NotesCONSOLIDATED FINANCIAL STATE
- Page 126 and 127: 5 NotesCONSOLIDATED FINANCIAL STATE
3 RiskRISK MANAGEMENTmanagement frameworkOPTIMUM ORGANISATIONAL STRUCTUREIn <strong>2007</strong> the units responsible for setting the operational risk framework,conducting permanent controls and coordinating business continuityplans were merged in an attempt to streamline and optimise internalcontrol procedures. The new unit will be responsible for both measuringand managing operational risk. It will define, coordinate and monitorthe Group’s operational risk, permanent controls and business continuityframeworks, and produce the appropriate risk measures and managementdata.The unit will work in line with a unified, five-tier approach based on:■ analysing risks;■ implementing preventive and/or mitigating tools including procedures,controls, business continuity plans and insurance;■ producing risk measures and calculating the capital charge foroperational risk (used to determine tolerance levels and consolidatedexposure);■ reporting and analysing information (used in validating controls andmanaging risk);■ formulating action plans to prevent and/or remedy risks, togetherwith follow-up procedures.This approach involves a two-way vertical information flow (bottom upand top down) which ensures that data is provided to the competent levelof the organisation for review, validation and decision-making purposes.It also functions as a loop, ensuring that due account has been takenof changes in the environment and that control procedures have beenadjusted accordingly.KEY PLAYERS AND GOVERNANCEAt all levels of the Group (core businesses, functions, business lines,subsidiaries and territories), the risk management framework relies onteams of operational risk analysts and coordinators of permanent controlsand business continuity plans. These teams head up the operational riskmanagement process falling within their particular remit, and ensurethat the standard operational risk policy and related methodologies andtools are properly implemented. They have a particularly important rolein risk analysis and risk reporting.The entire system requires significant involvement of operational staff.Issues that arise in relation to operational risk, permanent controls andbusiness continuity are discussed with the Group’s Executive Committeethree times a year, and with the Internal Control Coordination Committeeevery month. This committee is chaired by the Internal Control Coordinatorand brings together key players in the internal control process. Groupcompanies are encouraged to adopt this governance structure in theirown organisations.Executive Committees at the level of the Group and the core businessesare tasked with ensuring that operational risk is effectively managedand controlled in the areas falling within their remit, in accordance withthe Group’s operational risk framework. The committees are responsiblefor validating the quality and consistency of reporting data and forexamining the risk profile adopted in light of the tolerance levels setby either the committees themselves or the Group. They also assess thequality of risk control procedures in light of their objectives and therisks they incur.RISK ANALYSISA large number of people are involved in the risk analysis process, fromstaff heading up the operational risk management framework throughto their business line operating managers. Operational risk is analysedon the basis of historical data and prospective scenarios.Historical data: operational risk data has been systematically compiledsince the beginning of 2002, with the process subsequently rolled outto all of the Group’s business lines and territories and enhanced by dataquality reviews and certification procedures. The analysis and followupof operational risk data are key to identifying the actions needed toprevent incidents from recurring in the future.Prospective scenarios: the Group adopts an integrated approach tomodelling risks and analysing potential incidents, based on an analysis ofits internal processes. A qualitative analysis of the causes, correspondingcontrols and impact of operational risk incidents is carried out foreach process, with the results quantified and input into the internalcapital calculation model. The analysis highlights the Group’s mainrisk exposures and enables the organisation to identify the necessaryremedial actions.The analysis of actual and potential operational risks is therefore a keycomponent of the risk management process. It helps identify factorsthat may prevent or mitigate such risks, particularly the need for new oradjusted control procedures and business continuity plans. In turn, therisk analysis process is enhanced by the review of control procedures andbusiness continuity plans. The analysis of the “risk – controls – businesscontinuity plan” chain is therefore designed as a loop in order to optimisethe Group’s operational risk management framework.LEGAL, TAX AND INFORMATION TECHNOLOGYRISKS RELATING TO OPERATIONAL RISKLegal risk< Contents >In each country where it operates , BNP Paribas is bound by specific localregulations applicable to companies engaged in banking, insurance andfinancial services. The Group is notably required to respect the integrityof the markets and the primacy of clients’ interests.For many years, the Group Legal Department function has had an internalcontrol system designed to anticipate, detect, measure and managelegal risks.The system is organised around:■ Specific committees:■ the Legal Affairs Committee,■ the Global Legal Committee, which coordinates the activities ofthe legal function throughout the Group in all countries that havetheir own legal staff, and ensures that the Group’s legal policiesare consistent and applied in a uniform manner,■ the Legislation Tracking Committee, which analyses, interpretsand distributes throughout the Group the texts of new laws andregulations, and details of changes in French and European caselaw,■ the Legal Internal Control Committee, whose focuses includeoperational risk,■ the Litigation Committee, which deals with major litigationproceedings in which the Group is the plaintiff or defendant,■ the Legal function is a permanent member of the ComplianceCommittee and the Internal Control Coordination Committee;123456789101176<strong>2007</strong> Registration document - BNP PARIBAS