CaixaBank optimises the relationship between the risks and returns on its business activity to enhance its leadership of retail banking and bolster its position as one of the most robust European banks. It achieves this through its corporate governance system, and effective risk management and control in line with its business model, the expectations of its stakeholders and best international practices.

The Governance and Organisation structure – and the specialisation of our professionals – ensures CaixaBank’s governance bodies and management committees exercise appropriate risk control.

CaixaBank’s Risk Culture is based, among other things, on general risk management principles, employee training and evaluation of variable remuneration for employee performance.

MAIN RISK MANAGEMENT BODIES

Risk appetite framework

a comprehensive, forward-looking tool through which the Board of Directors determines the acceptable risk types and thresholds for achieving its strategic objectives.

Corporate Risk Map:

This includes the Corporate Risks Catalogue and facilitates internal and external reporting, and monitoring of the Group’s risks.

Risk assessment and planning:

institutional processes for assessing changes in the Group’s risk profile (recent, future and hypothetical in stress scenarios) and capacity to ensure adequate governance, management and control.

Internal control framework:

a structure based on the three lines of defence model, providing a reasonable degree of assurance that the Group will achieve its objectives.

Risk appetite framework

Priority aspects set out by the Board of Directors that express the Group’s aspirations with regard to its most relevant risks, included in the Corporate Risk Map:

  • Protection against losses: maintaining a medium-low risk profile and comfortable capital levels.
  • Liquidity and funding: always being in a position to meet obligations and funding needs in a timely manner, even under adverse market conditions, with a stable and diversified funding base to protect and safeguard the interests of depositors.
  • Business composition: maintaining leadership in the retail banking market and generating income and capital in a balanced and diversified manner.
  • Franchise: commitment to the highest ethical and governance standards in business conduct, encouraging sustainability and social responsibility, and ensuring operating excellence.

INTERNAL CONTROL FRAMEWORK

This is structured around the Three Lines of Defence model, in line with regulatory guidance and best practices in the sector:

The first line comprises the business units and support areas, which are responsible for identifying, measuring, controlling, mitigating and reporting the key risks affecting the Group as it carries out its business.

The second line acts independently and is designed to ensure the existence of risk management and control policies and procedures, monitor the application of these, evaluate the control environment and report on all of the Group’s material risks. It comprises the Deputy General Control & Compliance area, the Control units in the General Risks Division and Financial Accounting, Control and Capital, which were enhanced in 2016.

The third line is Internal Audit, which independently and objectively assesses the efficiency and effectiveness of risk management and control.

CORPORATE RISK CATALOGUE

Chief Risks Officer Risk management Situation and main activities in 2016
Eligible own funds / Solvency
Risk resulting from constraints on the Group’s ability to adapt its level of capital to regulatory requirements or changes in its risk profile.
  • Management activity focuses on maintaining a low-medium risk profile and comfortable capital adequacy to cover any unexpected losses.
  • Objectives:
    11% minimum capital, comfortably exceeding Basel III requirements.
    Weight of investees < 10%.
  • Regulatory CET1 capital of 13.2%. The minimum requirements are comfortably exceeded.
  • The sale of the investees Bank of East Asia and Grupo Financiero Inbursa to CriteriaCaixa reduced the weight of capital consumption by investees to less than 10%.
Funding and liquidity
Risk of insufficient liquid assets or limited access to market financing to meet contractual maturities of liabilities, regulatory requirements, or the investment needs of the Group.
  • Liquidity risk management is based on: a centralised liquidity management system with segregation of functions; holding an efficient level of liquid funds; active liquidity management; and stable and sustainable funding sources.
  • A robust liquid asset position for the existing financing structure:
    Immediately available bank liquidity of €50,408 million.
    LCR ratio of 160%.

Chief Risks Officer Risk management Situation and main activities in 2016
Credit
Risk of a decrease in the value of the Group’s assets due to uncertainty about a counterparty’s ability to meet its obligations.
  • This is the most significant risk for the Group’s balance sheet and arises from its banking and insurance business, treasury operations and investee portfolio.
  • Its management is characterised by a prudent approvals policy and appropriate coverage.
  • The management lifecycle takes an end-to-end approach to transactions.
  • Robust improvement in balance sheet credit-quality metrics.
  • Problem assets continued on a downward trend (NPL 6.9%) with higher gains from the sale of foreclosed assets.
  • Adaptation to the new Bank of Spain’s Circular 4/2016, which introduces changes to the accounting classification of loans and the methodology for determining provisions.
Market
Loss of value in the assets or increase in value of the liabilities in the Group’s held-for-trading portfolio, as a result of fluctuations in rates, credit spreads, external factors or prices in the market where these assets and liabilities are traded.
  • Management of these involves daily risk estimates, testing of the quality of these measurements (back testing), calculation of hypothetical results in the event of sharp changes in market prices (stress testing) and monitoring and control of limits.
  • The Group has put in place daily VaR limits for its trading activities of €20 million.
  • Low and stable risk, well below the limits set.
Interest rate risk in the banking book
Negative effect on the economic value of the balance sheet or results, caused by the renewal of assets and liabilities at rates that are different to those previously established, due to changes in the structure of the interest rate curve.
  • This risk is managed by optimising the net interest margin and keeping the economic value of the balance sheet within the limits established in the risk appetite.
  • CaixaBank actively manages risk by arranging additional hedging transactions on financial markets to supplement the natural hedges generated on its own balance sheet by its deposits and lending transactions with customers.
  • The sensitivity of the net interest margin over one year to a 100 bps increase or decrease in interest rates compared to the baseline scenario is +6.46% and –2.35% respectively.
  • The sensitivity of market value of equity to a 100 bps increase or decrease in interest rates is approximately +3.76% and –1.25%, respectively, compared to the baseline scenario.
Actuarial
Risk of an increase in the value of commitments assumed through insurance contracts with customers and employee pension plans, due to differences between the estimates of claims and actual performance.
  • Policies are based on Directorate-General of Insurance and Pension Funds (DGIPF) guidelines and monitoring of product performance.
  • The Group establishes limits for the net risk retained by each business line, risk and/or event, based on the risk profile and reinsurance costs.
  • Compliance with the new requirements introduced by the European Solvency II Regulations, which have been in force since 1 January 2016.
  • Involvement in sector working groups.

Chief Risks Officer Risk management Situation and main activities in 2016
Legal and regulatory
Losses due to errors in the interpretation or application of existing legislation and regulations or adverse judicial rulings. This also includes the risk of an adverse impact on economic value due to legislative or regulatory changes.
  • Management activity seeks to: anticipate regulatory changes by identifying the main risks and impacts; implement new regulatory requirements; and defend the bank in all legal and administrative actions.
  • Involvement in consultations with domestic, European and international regulators.
  • Coordination of analysis of regulatory impact and implementation of new regulations by establishing criteria and procedures.
  • Publication of the Group’s Tax Strategy and approval and publication of its Tax Risk Management and Control Policy.
Conduct and Compliance
Application of criteria for action contrary to the interests of customers and stakeholders. In addition, weaknesses that generate actions or omissions not in keeping with the legal and regulatory framework, or with internal codes and standards, and which could result in administrative sanctions or reputational damage.
  • Management model based on the three lines of defence.
  • An Internal Control Committee was set up in 2016, bringing together the main functions of the second line of defence, Business Control and Internal Audit.
  • Launch of a strategic transformation project for the control & compliance culture, as part of CaixaBank’s Strategic Plan.
  • Significant progress in implementation of the Transformation Plan for Prevention of Money Laundering and International Financial Sanctions, and the Crime Prevention Model.
  • Definition and enhancement of the Compliance model, including the creation of Reporting and Communication, and Information Analysis areas.
  • Redefinition of the governance model, with direct reporting by Control and Compliance to the CEO.
Technological
Inadequacies or failures of hardware or software in the technical infrastructure that could compromise the availability, integrity, accessibility and security of infrastructure or data.
  • This risk is managed through Key Risk Indicators (KRIs), which are constantly measured using specific tools and reported to the operational risk management.
  • The KRIs are grouped into the five categories defined by the regulator: availability and continuity risk; security risk; change risk; data integrity risk; and outsourcing risk.
  • Creation of a specific indicator to measure the Risk Appetite Framework for this risk, based on existing indicators.
  • Consolidation of existing controls and indicators, applying international best practices.
  • Renewal of ISO 27001 certification for security protection in online services.
  • ISO 27031 certification for the design of technological contingency regulations.
Operating processes and external events
Loss or damage caused by operational errors in processes related to CaixaBank’s activity due to external events beyond its control or third parties, whether accidental or fraudulent.
  • This risk is managed by the Operational Risk Committee, with representatives of the three lines of defence.
  • It is managed using a number of tools, including: loss databases (DBs), risk indicators (KRI), extreme scenarios, risk self-assessments and generation of weak points, as applicable.
  • The involvement of the first line of defence is essential, and mainly involves enriching the DBs and performance of self-assessments.
  • Performance of annual self-assessments and extreme scenarios.
  • Establishment of areas of collaboration with the Business Control unit, as a new player in the operational-risk management framework.
  • Construction of a new, second-level, synthetic Risk Appetite Framework (RAF) indicator for conduct risk.
  • Participation in stress tests organised by European authorities (EBA) and studies of the application of new methods of calculating capital requirements (SMA).
Reliability of financial reporting
Deficiencies in the accuracy, integrity and criteria of the process used when preparing the data necessary to evaluate the financial and equity situation of the CaixaBank Group. This is managed in a number of ways:
  • Accounting control of each monthly close.
  • Internal control over financial reporting (ICFR), designed as set down by the CNMV as part of the second line of defence in a three lines of defence model.
  • Validation of the financial planning and capital process by the second line of defence.
  • Quarterly monitoring of second level RAF metrics with alert thresholds.
  • Quarterly monitoring of related risk indicators (KRI).
  • Revision, updating and incorporation of key controls for relevant processes, paying particular attention to creating new controls for subsidiaries.
  • Application of the internal hierarchical certification model for key controls, without significant incidents.
  • Creation of the Information Management and Data Quality Committee.
  • Increasing the scope of audit and accounting control.
Reputacional
Risk associated with reduced competitiveness due to the loss of trust in CaixaBank by some of its stakeholders, based on their assessment of actions or omissions, real or purported, by the entity, its senior management or governing bodies.
  • CaixaBank’s reputation scorecard (CMR) enables it to continuously monitor its key reputation indicators. This is also used to prepare the annual Global Reputation Index, a comparable metric with a multi-stakeholder approach that enables CaixaBank to set objectives for more efficient reputation management.
  • The reputational risk map identifies the risks with the highest potential impact on its image and the degree to which preventative measures are being applied. Indicators have been put in place for the most significant risks, to allow for periodic monitoring of the effectiveness of the preventive measures implemented.
  • Incorporation of new indicators into the risk scorecard to reinforce the multi-stakeholder vision.
  • Development of an internal IT tool for calculating, analysing and monitoring risk scorecard results.
  • Approval of the policy on defence, which sets out the criteria for CaixaBank’s action in relation to the identification and management of reputational risk.
  • Review of the existing protocol on relations with Politically Exposed Persons.