Active risk management

CaixaBank optimises the relationship between the risks and returns on its business activity to enhance its leadership of retail banking and bolster its position as one of the most robust European banks. It achieves this through its corporate governance system and effective risk management and control, in line with its business model, the expectations of its stakeholders and international best practices.

Risk appetite framework (RAF)

The Board of Directors has established four key dimensions expressing the Group’s aspirations for the main risks in the Corporate Risk Catalogue:

Risk Appetite Framework structure (RAF)

3 lines of defence

The first line of defence: comprising the bank’s business lines (risk takers) and support functions. These are responsible for developing and maintaining effective controls over their business. They are also responsible for identifying, managing and mitigating the risks they originate, and for operating an adequate control environment.

The second line of defence: comprising the Global Risk Management Function (RMF) and Compliance.

These functions identify, measure and monitor risks, establishing management policies and control procedures. They are also responsible for independent review of their application by the first line of defence.

The third line of defence: Internal Audit oversees the activities of the first and second lines of defence. It does this by reviewing the risk control environment, compliance and the effectiveness of corporate policies, providing independent information on the control model.

Main risk management bodies

Corporate risk catalogue

CaixaBank has defined a Corporate Risk Catalogue that facilitates monitoring and reporting of the Group’s risks. These risks have been approved by the Board of Directors and are reviewed annually.

Risks Risk management Situation and main activites in 2017
Profitability risk
Obtaining results below market expectations or Group targets that, ultimately, prevent the company from reaching a level of sustainable returns that exceeds the cost of capital
  • Management of this risk is based on defining a Strategic Plan, underpinned by financial planning that reflects this strategy. Compliance with the strategy and the budget is monitored continuously. Having quantified any potential deviations and identified their cause, the conclusions are submitted to the management and governance bodies to assess whether any changes are needed to ensure compliance with internal objectives.
  • In 2017, average profitability measured in terms of RoTE (return on tangible equity) approximated the Group’s cost of capital, while actions were also undertaken to contain future costs. Taken together with prudential risk management, these measures are laying the foundations for greater future profitability.
Own Funds/Solvency
Risk resulting from constraints on the Group’s ability to adapt its level of capital to regulatory requirements or changes in its risk profile.
  • Management activity focuses on maintaining a low-medium risk profile and comfortable capital adequacy to cover any unexpected losses.
  • Objectives:
    – 11% minimum common equity tier one (CET 1), comfortably exceeding Basel III requirements.
    – Weight of investees < 10%.
  • Regulatory CET1 capital of 11.7%. The minimum requirements are comfortably exceeded.
    The MDA11 buffer at 31 December stood at €5,856 million.
  • The acquisition of 84.5% of the Portuguese bank BPI had a -115 basis points impact on regulatory CET1.
  • A number of issuances of capital were carried out in the year: one of €1,000 million of AT1 debt, and three of subordinated debt (Tier 2) amounting to €2,150 million (which comfortably offset the amortisation of the issuance of €1,302 million of subordinated debt million in August).
Funding and liquidity
Risk of insufficient liquid assets or limited access to market financing to meet contractual maturities of liabilities, regulatory requirements or the investment needs of the Group.
  • This is managed based on: a liquidity management system decentralised for the entities of the CaixaBank Group (CaixaBank S. A. and BPI) with segregation of functions; holding an efficient level of liquid funds; active liquidity management; and stable and sustainable funding sources under both normal and stressed conditions.
  • A robust liquid asset position for the existing financing structure:
    – Immediately available bank liquidity of €72,775 million.
    – Group CaixaBank LCR ratio of 202%.

1. The capital threshold below which there are limits on dividend payments, variable remuneration and interest payments to holders of Additional Tier 1 capital instruments.

Risks Risk management Situation and main activites in 2017
Credit risk
Risk of a decrease in the value of the CaixaBank Group’s assets due to uncertainty about a counterparty’s ability to meet its obligations.
  • This is the most significant risk for the Group’s balance sheet and arises from its banking and insurance business, treasury operations and investee portfolio.
  • Its management is characterised by a prudent approvals policy and appropriate coverage.
  • The management lifecycle takes an end-to-end approach to transactions.
  • Stable improvement trend in balance sheet credit-quality metrics. This is exemplified by non-performing assets, which remain on a downwards trend (from an NPL ratio of 6.9% in 2016 to 6.0% at year-end 2017).
  • A general improvement in concentration metrics, particularly in businesses considered no-core for CaixaBank.
Market risk
Risk of a decrease in the value of the Group’s assets held for trading or an increase in the value of its liabilities held-for-trading and in the held-to-maturity portfolio, due to fluctuations in interest rates, credit spreads, external factors or prices in the market where the assets and liabilities are traded.
  • This is managed based on: daily risk estimates, testing of the quality of these measurements (back testing), calculation of hypothetical results in the event of sharp changes in market prices (stress testing) and monitoring and control of limits.
  • The Group has put in place a daily VaR limit for its trading activities.
  • Low and stable risk, well below the limits set.
Interest rate risk in the banking book
Negative effect on the economic value of the balance sheet or results, caused by the renewal of assets and liabilities at rates that are different to those previously established, due to changes in the structure of the interest rate curve.
  • This risk is managed by optimising the net interest margin and keeping the economic value of the balance sheet within the limits established in the risk appetite framework.
  • CaixaBank actively manages risk by arranging additional hedging transactions on financial markets to supplement the natural hedges generated on its own balance sheet by its deposits and lending transactions with customers.
  • The sensitivity of net interest income over one year to a 100 bp increase or decrease in interest rates compared to the baseline scenario is +7.88% and -1.55% respectively.
  • The sensitivity of market value of equity to a 100 bp increase or decrease in interest rates is approximately +3.48% and +1.36%, respectively, compared to the baseline scenario.
Risk of an increase in the value of commitments assumed through insurance contracts with customers and employee pension plans, due to differences between the estimates of claims and actual performance.
  • Policies are based on guidelines from the Directorate-General of Insurance and Pension Funds (DGIPF) and monitoring of product performance.
  • The Group establishes limits for the net risk retained by each business line, risk and/or event, based on the risk profile and reinsurance costs.
  • Compliance with the new requirements introduced by the European Solvency II Regulations, which have been in force since 1 January 2016.
  • Performance of the first Annual Solvency II QRT (Quantitative Reporting Templates) reporting.
  • Publication of the first Own Risk and Solvency Assessment Report for VidaCaixa.
  • Development and improvement of monitoring of the risk appetite established by the Board of Directors of VidaCaixa through its risk management policies.
  • Involvement in sector working groups.
Impairment of other assets
Reduction in the carrying amount of the equity portfolio and non-financial assets (tangible, intangible, deferred tax assets (DTAs) and other assets) of the Group.
  • Establishment of policies and frameworks to optimise the management of investees within the strategic objectives, with ongoing monitoring of risk metrics and limits, monitoring changes in business and financial information, regulatory changes and the economic and competitive dynamics of the countries and sectors where they operate.
  • Performance of impairment and recoverability analysis, based on generally accepted methodologies.
  • Optimisation of the profitability of the real estate portfolio by distributing it for sale or rent, based on market research. Monitoring the management of the administrative, technical, legal and possessory cleanup of real estate assets. Ongoing monitoring of assets valuations, applying the criteria established by regulatory bodies, with individualised valuation focusing sharply on the most significant assets.
  • Approval of new Risk Management Policy for Investees.
  • Enhancement and formalisation of internal control functions to ensure they operate with integrity and in accordance with prevailing legislation, regulations and internal policies, including, in particular, the identification, measurement, monitoring and disclosure of the risks and controls identified.
  • The trend for real estate risk in the Group is stable, against a currently stable backdrop of regulations on real estate valuation and prices, and given the outlook based on studies by appraisers and the distribution and composition of the portfolio.
Risks Risk management Situation and main activites in 2017
Loss or decline in profitability due to legislative or regulatory changes, errors in interpreting or applying prevailing laws, court rulings or administrative action that goes against the Entity’s interests or tax-related decisions taken by the Entity or the tax authorities.
  • Management aims to anticipate regulatory changes through regulatory monitoring and analysis, and identification of the main risks and impacts. Processes are also developed to adapt to and implement new regulatory requirements, and defend the entity against legal and administrative actions.
  • Involvement in consultations with domestic, European and international regulators.
  • Manage and ensure due knowledge in CaixaBank of the regulations and laws approved, and the criteria of regulators, that comprise the regulatory framework for the financial and non-financial services marketed by CaixaBank and its Group, and its asset management, and legal rulings from CaixaBank and its subsidiaries that share Legal Advisory services with CaixaBank.
  • Coordination of analysis of regulatory impact and implementation of new regulations by establishing criteria and procedures.
  • Assess the legal risk deriving from the products sold, the transactions carried out, the decisions adopted and, in general, the actions of the CaixaBank Group in any area of its activity, and communicate these to the other parts of the organisation through procedures designed for this purpose.
Conduct and Compliance
Application of criteria for action contrary to the interests of customers and stakeholders. Also includes weaknesses in procedures that generate actions or omissions that are not in line with the legal or regulatory framework, or with the internal codes and rules, which could result in administrative sanctions or reputational damage.
  • Management model based on the three lines of defence.
  • The General Control & Compliance Subdivision, which encompasses the Corporate Regulatory Compliance Division, reviews conduct and compliance risk as part of its independent function as the second line of defence for this risk, reporting directly to the CEO.
  • Formalisation and implementation of the annual Compliance Plan, which makes it possible to identify, measure, supervise and report to the governing bodies.
  • Significant advances in the development and execution of the action plan for the integration of BPI into the Compliance supervision model at the Group level.
  • Ongoing implementation of the strategic transformation project for the control and compliance culture:
    • A number of regulatory courses have been launched that are mandatory for all of the entity’s employees, and the Control & Compliance website has been designed and rolled out.
  • Consolidation of the general management framework governing potential conflicts of interests into a general conflicts of interest policy, providing benchmarks for all Group companies.
  • Updating of policies and regulations on the prevention of money laundering and international financial sanctions.
  • Reassessment of the Criminal Compliance model, with the creation of a new committee, the updating of the Policy and its extension to Group subsidiaries.
Losses due to hardware or software inadequacies or failures in the technical infrastructures that could compromise the availability, integrity, accessibility and security of the infrastructures and data.
  • This risk is managed through Key Risk Indicators (KRI), which are constantly measured using specific tools and reported to operational risk management.
  • The KRIs are consistent with the regulator’s grouping of these into five categories: availability and continuity risk; security risk; change risk; data integrity risk; and outsourcing risk.
  • Creation of a specific indicator to measure the technological risk within the Risk Appetite Framework.
  • Consolidation of existing controls and indicators, applying international best practices.
  • Renewal of ISO 27001 certification for security protection in online services.
  • Renewal of ISO 27031 certification for the design of the technological contingency regulations and their operation.
Operating processes and external events
Loss or damage caused by operational errors in processes related to the bank’s activity due to external events beyond its control or third parties, whether accidental or fraudulent. Includes errors in the management of suppliers, model risk and the custody of securities.
  • This risk is managed by the Operational Risk Committee, with representatives of the three lines of defence.
  • It is managed using a number of tools, including: loss databases (DBs), risk indicators (KRI), extreme scenarios, risk self-assessments and generation of weak points, as applicable.
  • The objective of monitoring these tools and weak points is to foster improvement actions by the three lines of defence through changes or improvements to processes and controls, so as to reduce future operational losses and bring them into line with the operational risk tolerance established in the Risk Appetite Framework.
  • Performance of the annual operational risk self-assessments.
  • Consolidation of the level 2 RAF metrics for technology and conduct risk, and implementation of a legal risk metric.
  • Initial analysis of the impact of the future implementation of the new method for calculating capital requirements (SMA).
  • Integration of BPI into the corporate management framework for operational risk, to converge towards consistent management at the Group level.
  • Updating of the operational risk taxonomy, to bring it into line with the new corporate risks catalogue.
Reliability of financial reporting
Deficiencies in the accuracy, integrity and criteria of the process used when preparing the data necessary to evaluate the financial and equity position of the CaixaBank Group. This is managed in a number of ways:
  • Accounting control of each monthly close.
  • Internal control over financial reporting (ICFR), designed as set down by the CNMV as part of the second line of defence in the three lines of defence model.
  • Validation of the financial planning and capital process by the second line of defence.
  • Quarterly monitoring of second level RAF metrics with alert thresholds.
  • Monitoring and analysis of compliance with the various aspects of the financial information verification and disclosure policy.
  • Revision, updating and incorporation of key controls for relevant processes, paying particular attention to creating new controls for subsidiaries.
  • Application of the internal hierarchical certification model for key controls, without significant incidents.
  • Creation of a verification and disclosure policy for financial information.
  • Progress on initiatives related to information governance and data quality.
The possibility that CaixaBank’s competitive edge could be blunted by loss of trust by some of its stakeholders, based on their assessment of actions or omissions, real or purported, by the bank, its senior management or governing bodies, or because of related unconsolidated entities becoming bankrupt (Step-In risk).
  • CaixaBank’s reputation scorecard (CMR) enables it to continuously monitor its key reputation indicators. This is also used to prepare the annual Global Reputation Index, a comparable metric with a multi-stakeholder approach that enables CaixaBank to set objectives for more efficient reputation management.
  • CaixaBank’s reputational risk map identifies the risks with the highest potential impact on its image and the degree to which preventative measures are being applied. Indicators have been put in place for periodic monitoring of the effectiveness of the preventive measures implemented.
  • Review and enhancement of the Global Reputation Index (GRI), adding new indicators and including BPI in the analysis and measurement scope.
  • Updating of the Reputational Risk Map in response to the Entity’s current position and external circumstances. New risks that need to be prevented have been added and some existing risks have been reformulated.
  • Approval of the Socially Responsible Banking Plan.
  • Roll out of the Reputational Risk Support Service (RRSS) to handle branch enquires concerning matters that could result in a breach of the corporate responsibility policies.
Pilar III Report 2017 Consolidated Financial Statements, management report and audit report