Risk activity at CACEIS Bank Spain SAU is guided by the following principles, which are in line with Santander Group frameworks and policies and which take into account the recommendations of supervisors, regulators and market best practices:
- An integrated risk culture at the organisation.
- Independence of the risk function
- Comprehensive approach to all risks as a target for their appropriate management and control.
- An organisation and governance model that assigns control and management to all responsible risks areas.
In December 2014, CACEIS Bank Spain SAU joined the Santander Group’s General Risk Framework, which sets forth the basic principles applicable to risk management as set forth in the map of risks (financial, non-financial and transversal).
Governance of the risks
In addition to the non-delegable risk functions performed by the Board of Directors, 2015 saw the creation of the Executive Risk Committee, chaired by the General Manager of the Company, and the Risk Control Committee, in charge of effective control of all risks and chaired by the Chief Risk Officer.
Organisational structure of the risk function
The Chief Risk Officer is responsible for the risk function. This officer reports to the General Manager and to the board of directors and plays an advisory, monitoring and challenge role with regards to the executive line of the entity.
Operational and Technological Risk; models for identifying, measuring and evaluating:
In light of CACEIS Bank Spain SAU’ business, operational and technological risk is a very relevant focus of management, which at all times follows the Santander Group’s frameworks and policies. Hence, a series of qualitative and quantitative tools/techniques have been defined at the Group level to measure and evaluate technological and operational risk. These tools and techniques are combined to prepare a diagnosis (on the basis of the risks identified) and obtain an evaluation (through the measurement/evaluation) of each unit.
The quantitative analysis is carried out primarily with tools that record and quantify the level of losses associated with events involving operational risk:
- Internal database of the events, the purpose of which is to capture all losses resulting from operational risk at the Unit. The capturing of events related to operational risk is not restricted because of the establishment of thresholds (that is, there are no exclusions based on quantity), and all events with an accounting impact (including those with a positive impact) are considered, as are non-accounting events. There are accounting-reconciliation processes to ensure the quality of the information entered into the databases. The main operational risk events are documented and reviewed individually.
- External database of events, given that the Santander Group participates in international consortia. The use of external databases makes it possible to analyse the events in the sector in greater detail and in a more structured manner.
- Analysis of operational-risk scenarios. The opinions of experts in the business lines and of risk control managers are obtained, in order to identify potential events with a very low likelihood of occurrence but that could lead to a large loss for the entity. The possible effects of these events are evaluated, and additional controls and mitigation measures are established to reduce the probability of a an event with a high economic impact
The tools defined for the qualitative analysis evaluate aspects (coverage/exposure) linked to risk profile, makes it possible for there to be a control environment. These tools are primarily:
- Process and risk map and self-evaluation questionnaires. A proper evaluation of the risks, on the basis of the expert opinion of the respective managers, allows for a qualitative vision of the main focuses on the Unit’s risks, even if they have materialised previously.
- The methodology employed estimates inherent and residual loss in accordance with the process and risk map. Specifically, the experts from the different business and support areas evaluate the risk associated with the processes and activities, estimating the average frequency of occurrence in the materialisation of the risk, as well as the average severity. The exercise also includes the evaluation of major loss, the evaluation of the control environment and the linkage with reputational and regulatory risk. The information obtained is analysed locally and at the corporate level, and is included in the operational risk reduction strategy through measures to mitigate the main risks.
- Operational risk indicators system, which is continually evolving, in coordination with the Internal Control Area. Various types of statistics or parameters provide information on an entity’s exposure to risk. These indicators are reviewed periodically in order to warn of changes that might point to problems with the risks.
- Audit recommendations. Provide relevant information on inherent risk due to internal and external factors that make it possible to identify weaknesses in the controls.
- Other specific instruments that allow for a more detailed analysis of technological risk, such as control of critical incidents in the systems and events related to cyber security.
In addition, protocols have been defined to escalate relevant incidents, giving visibility to certain risk events.
In addition to the regular risk identification and evaluation processes, CACEIS Bank Spain SAU has developed a business contingency and continuity plan to complete the essential management instruments, which together with the remaining instruments and principles, constitute the components of global risk management at the entity.