6.1 DEFINITION
Dexia defines operational risk as the risk of a financial or non-financial impact resulting from inadequate or failed internal processes, people and systems, or from external events. This definition includes risks related to information systems, legal issues and compliance, but excludes strategic risk.
The definition of operational risk developed by Dexia is inspired, in a non- exhaustive manner, by the definition provided by the Basel Committee, which puts the emphasis on losses (negative financial impacts). Therefore, Dexia’s policy also requires the collection of data concerning any events that generated financial gains.
6.2 GOVERNANCE
The management of operational risk is based on strong governance, which requires clearly defined responsibilities of roles.
The Management Board of the Dexia Group meets weekly to regularly examine changes in the risk profile of the Group’s various activities and make all necessary decisions.
The Risk Policy Committee, a strategic committee made up of representatives of the Management Board, approves Group-wide policies. The Risk Policy Committee meets quarterly.
MANA
GEMENT REPORT
The Operational Risk Guidelines Committee, chaired once a quarter by the Group Chief Risk Officer, details the approved policies in guidelines adapted to business activities. It transversally reviews all operational risk events and related analyses. Dexia Credit Local is represented on the ORGC by the member of the Dexia Credit Local Management Board in charge of the Public and Wholesale Banking business line.
The Operational Risk Management Committee, chaired once a month by the Group Chief Operational Risk Officer, develops consistent Group-wide operational risk procedures, including those for business continuity, crisis management, information security and insurance. This committee includes the Operational Risk Officers of the Group’s main entities, including Dexia Credit Local.
The line management in each entity has primary responsibility for operational risk. For each field of activity they appoint an operational risk correspondent whose role is to coordinate the collection of risk event data and self-assessments, with the help of the local operational risk management unit.
6.3 RISK MANAGEMENT
Dexia’s operational risk management system is based on the following key factors:
Operational risk database
The systematic capture and follow-up of risk events is one of the most important requirements stated by the Basel Committee, whatever the approach chosen for the capital calculation (Standardized or Advanced Measurement Approach): “time series of losses may provide useful information for assessing exposure to operational risk and developing a strategy to control/mitigate this risk.”
Consequently, the collection of operational risk event data allows Dexia Credit Local to comply with regulatory requirements and to obtain valuable information that it can use to improve the quality of its internal control system. Strict reporting guidelines have been formulated and distributed at the Dexia Credit Local Group level, to ensure that important information is passed on in due time (the threshold for mandatory reporting is set at EUR 2, 500). The Operational Risk Management (ORM) function provides the Management Board with a report of all major operational risk events, including the action plans to reduce the risks, as defined by the line management.
Risk and control self-assessment
In addition to building a time series of losses, it is also necessary to identify Dexia Credit Local’s exposure to the major types of operational risk through a risk-mapping of all its significant activities. This is achieved through the performance of bottom-up Risk and Control Self-Assessments (RCSA) in all Group entities. The RCSAs not only call for the identification and assessment of all major risks and controls, they may also result in the definition of initiatives to reduce these risks. They provide an overall view
of most of the risk areas in the different entities and activities, and allow results to be reported to management at every level of the organization. In 2009, RCSAs were conducted in every department in the Group’s Head Office and its international subsidiaries, and they will be repeated at regular intervals.
Management of information systems security
and business continuity
The information systems security policy and all related guidelines, standards and practices aim to ensure the security of Dexia Credit Local’s information assets.
Thanks to the security programs and well-defined responsibilities in place, all of the business lines operate in a secure environment.
As required by the Group’s policy on business continuity, the business lines must perform impact studies for all critical activities. They must define and establish recovery plans and ensure that the business continuity plans of the different functions are tested and updated at least once a year. Based on the information it receives in regular reports, the Management Board validates all recovery strategies, residual risks and action plans in an effort to achieve continuous improvement.
Management of insurance policies
Dexia Credit Local also reduces the operational risks to which it is exposed by subscribing group insurance policies, covering professional liability, fraud, theft and business interruption. Through this insurance group policy, the Group seeks to establish insurance-related recommendations covering the various risks to which it is exposed, and to implement these recommendations at both the Group and Dexia Credit Local levels. The Group also oversees centralized negotiations with brokers and insurance companies.
Definition and monitoring of action plans
Line management defines the corrective measures inherent to the major risk events or significant risks identified. The operational risk management function provides regular monitoring of and quarterly reports for all of the activities.
This process promotes improvement of the internal control system and reduction of risk in an appropriate fashion over time.
Increased coordination with other functions involved
in the internal control system
A new software application was developed in 2009 to cover most of the components of the operational risk management system and to make certain key features available to other central functions (internal audit, compliance, permanent control and quality control). The installation of this software in 2010 will enable all of these functions to use a common language and common reference systems, and will enable consolidated information to be produced for line management, in particular in respect of any action plans or recommendations to be followed over time.
2
MANAGEMENT REPORT
Risk management