• No se han encontrado resultados

Operational risk is the risk of loss due to errors, infringements, interruptions, damages caused by internal processes or personnel or systems or caused by external events. This definition includes legal and compliance risks, but excludes strategic and reputational risk.

For example, losses arising from the following can be defined as operational: internal or external fraud, employment practices and workplace safety, client claims, products distribution, fines and penalties due to regulation breaches, damage to the company’s physical assets, business disruption and system failures, process management.

Group operational risk framework

UniCredit group sets the operational risk management framework as a combination of policies and procedures for controlling, measuring and mitigating the operational risk of the Group and controlled Entities.

The operational risk policies, applying to all Group Entities, are common principles defining the roles of the company bodies, the operational risk management function as well as the relationship with other functions involved in operational risk monitoring and management.

The Parent Company coordinates the Group Entities according to the internal regulation and the Group operational risk control rulebook. Specific risk committees (Risk Committee, ALCO, Operational Risk Committee) are set up in the Entities to monitor risk exposure, mitigating actions and measurement and control methods.

The methodology for data classification and completeness verification, scenario analysis, risk indicators, reporting and capital at risk measurement is set by the Parent Company Group Operational & Reputational Risks department and applies to all Group Entities. A pivot element of the risk control framework is the operational risk management application, allowing the collection of the data required for operational risk control and capital measurement.

The results from the various elements of the operational risk framework are as much as possible translated into actions that mitigate operational risk. In this way and through the years, the framework has evolved from a control system to a practice aimed at managing and mitigating the risk.

The compliance of the Group Operational risk control and measurement system with external regulations and Group standards is assessed through an internal validation process under the responsibility of the Group Internal Validation department of the Parent Company and independent from the Group Operational & Reputational Risks department.

In March 2008, UniCredit group received authorization to use the AMA model (Advanced Measurement Approach) for calculating operational risk capital. The use of this method in time is being rolled out to the main Entities of the Group.

Organizational structure

Top Management is responsible for approving all aspects relating to the Group operational risk framework and verifying the adequacy of the measurement and control system and is regularly updated on changes to the risk profile and operational risk exposure, with support from the appropriate risk committees.

The “Group Operational & Reputational Risks Committee”, chaired by the Parent Company's head of Group Risk

Management, is made up of permanent and guest members. The list of participants of the Committee has been updated in 2013, also in the light of the changes in the organizational structure of the Group Risk Management department.

The “Group Operational & Reputational Risks Committee” meets with consulting and suggestion functions for submission to the “Group Risk Committee” for the following topics:

• Group risk appetite including capitalization targets and capital allocation criteria for Group operational risks

• structure and definition of limits for Group operational risk for achieving risk allocation targets across Business Functions, Legal Entities and portfolios

• initial approval and fundamental modifications of risk control and measurement systems for operational risk, including possible action plans, processes, IT and data quality requirements, supported by the related internal validations

• overall strategies for operational risk optimization, “Governance Guidelines” and general “Policies” for the management of Group operational risk

• action plans to address possible critical findings related to risk control and measurement systems resulting from

“Group Internal Validation” and “Internal Audit” activities, with regard to the internal control system and risk measurement

• status update of relevant Basel II project activities and processes on operational risk topics

• ICAAP topics on operational risks

• yearly Regulatory Internal Validation Report on operational risk

• and for the following topics with reference to reputational risk:

• support, for specific reputational risk events, the crisis management capabilities and stakeholder communication, coherently with the Reputational Risk Management framework

• advice on matter of reputational risk, including clarification in matter of reputational risk special policies implementation (policies grey area), upon request of the Parent Company function/Bodies, Divisions and Legal Entities.

33

The “Group Operational & Reputational Risks Committee” will provide the “Group Risk Committee” with the following information:

• regular risk reports on operational losses, insurance recoveries, risk indicators trend, as well as, on back – testing and stress testing results, including the ones addressed to the Bank of Italy (before submission)

• results of scenario analyses

• results of the critical risk indicators analyses

• relevant internal and external operational events occurred, significantly affecting the Group's portfolio

• special operational and reputational risk policies

• corrective actions for balancing Group operational risk positions, including mitigation actions

• Group insurance strategies, including renewals, limits and deductibles

• methodologies for the measurement and control of operational risk

• regular reports on reputational risks

• single transactions evaluated, when – on an exceptional basis, i.e. in case of reputational risk policies' grey areas - submitted by the relevant competent Committee.

The “Group Operational & Reputational Risks Committee” will receive from the relevant competent Committees regular report on all transactions for which inherent reputational risks have been evaluated, based on current reputational risk “Governance Guidelines” and “Policies”.

Following the adoption of the new organizational structure of the Group in January 2013, in the Parent Company, the Group Operational & Reputational Risks department is part of the Group Risk Management department and supervises and manages the overall profile of the operational and reputational risks in the Group by defining the strategies, methodologies and limits. It coordinates and steers the operational risk management functions in the Group Entities, also by issuing Policies that are approved and implemented by the Entities’ competent governing bodies.

The department has three organizational units:

• The “Operational and Reputational Risk Oversight” unit is responsible for defining the principles and rules for identification, assessment and control of operational risk and reputational risk (including operational risks bordering on credit risk and market risk), and monitoring their correct application by the Legal Entities.

• The “Operational and Reputational Risk Strategies” unit is responsible for defining operational risk strategies, defining and controlling limits, as well as proposing mitigation actions and monitoring their effectiveness.

• The “Operational and Reputational Risk Analytics” unit is responsible for defining risk capital measurement approaches, calculating operational risk capital and the corresponding economic capital, as well as conducting quantitative analysis of the Group's exposure to operational risk and reputational risk, and providing suitable reporting to the functions concerned.

The Operational Risk Management functions of the controlled Entities provide specific operational risk training to staff, also with the use of intranet training programs, and are responsible for the correct implementation of the Group framework elements.

Validation process

In compliance with regulations, an internal validation process for the operational risk control and measurement system has been set up at the Parent Company and in the relevant Group Entities in order to verify the conformity with regulations and Group standards. This process is responsibility of the Pillar II Risks and Operational Risk Validation unit, within the Group Internal Validation department.

Group methodologies for measuring and allocating the capital at risk and the IT system are validated at Parent Company level by the abovementioned Unit, while the implementation of the operational risk control and management system within the relevant Entities is analyzed by the local Operational Risk Management functions with a self-assessment, following the technical instructions and policies issued by the Group Internal Validation department.

The results of the local assessments are annually verified by the Group Internal Validation department which also performs additional analysis on data and documentation. Such evidences are the basis for the release of specific Non-Binding Opinions to the relevant subsidiaries. The local validation report, together with the opinion of the Group Internal Validation department and the Internal Audit report are submitted to the Entities’ competent governing bodies.

All the validation outcomes on the operational risk control and measurement system, both at Parent Company and controlled entities level, are annually consolidated within the Group Validation report which, along with the annual Internal Audit report, is presented to the UniCredit Board of Directors.

Periodical reporting on validation activities is submitted also to the Group Operational & Reputational Risks Committee.

I

Reporting

A reporting system has been developed by the Parent Company to inform Top Management and relevant control bodies on the Group operational risk exposure and the risk mitigation actions.

In particular, quarterly (or more frequent) updates are provided on operational losses, capital-at-risk estimates, the main initiatives undertaken to mitigate operational risk in the various business areas, operational losses suffered in the credit linked processes (“cross-credit” losses). A summary of the trend of the most critical risk indicators is distributed each month.

The results of the main scenario analyses carried out at Group level and the relevant mitigation actions undertaken are also submitted to the attention of the “Group Operational & Reputational Risks Committee”.

Operational risk management and mitigation

Operational risk management exploits a number of tools like process reengineering to reduce the risk exposure and

insurance policies management, by defining proper deductibles and policies’ limits. Regularly tested business continuity plans assure sound operational risk management in case of interruption of main business services.

The Parent Company Board of Directors, within its steering powers, approves the operational risk strategies aiming to identify the priority areas for operational risk mitigation. In the Legal Entities, the Risk Committee (or other bodies, in accordance with local regulations) reviews risks tracked by the Operational Risk functions with the support of functions involved in daily operational risk control, and monitors the risk mitigation initiatives, in coherence with and implementation of the operational risk strategies.

35

• reputational risk.

These risks are defined as follows.

Business Risk

Business risk is defined as adverse, unexpected changes in business volume and/or margins that are not due to credit, market and operational risks. Business risk can result, above all, from a serious deterioration in the market environment, changes in the competitive situation or customer behavior, but may also result from changes in the legal framework.

The exposure data used to calculate business risk are taken from the income statements of each Group Entity for which the risk is significant. Volatility and correlation are derived from the relevant income statements profit & loss items.

Business risk is measured by Earnings at Risk (EaR), defined as the maximum annual loss with a confidence level set according to the rating target, with a one-year time horizon and assuming normal distribution.

Business Risk is calculated quarterly for monitoring purposes and for budgeting purposes according to planning time scheduling.

Real Estate Risk

Real estate risk is defined as the potential losses resulting from market value fluctuations of the Group’s real estate portfolio, including real estate special purpose vehicles. It does not take into consideration properties held as collateral.

The relevant data for the real estate risk calculation include general information related to properties and area or regional price indexes for each property to enable calculation of volatility and correlation in the model.

The calculation of real estate risk estimates the maximum potential loss with a confidence level set according to the rating target and a one-year horizon, using a variance-covariance approach and assuming normal distribution.

Real estate risk is calculated for monitoring purposes every six months and for budgeting purposes according to the timelines scheduled in the planning process.

Financial Investment Risk

Financial investment risk originates in equity held in companies not included in the Group or held in the trading book.

The relevant portfolio mainly includes listed and unlisted shares, derivatives with equity underlyings, private equity, units of mutual, hedge and private equity funds.

For all Group equity positions, capital absorption may be calculated using PDs and LGDs or a market-based approach. The PD/LGD approach is used for unlisted companies, including direct private equity holdings. The market-based approach is used for traded equities, equity hedges and all mutual, hedge and private equity funds through the mapping of market indexes.

The calculation of financial investment risk is based on the maximum potential loss, i.e. Value at Risk (VaR), with a

confidence level set according to the rating target and a one-year horizon. Financial investment risk is calculated quarterly for monitoring purposes and for budgeting purposes according to the timelines scheduled in the planning process.

Strategic Risk

Strategic Risk is the risk of suffering potential losses due to decisions or radical changes in the business environment, improper implementation of decisions, lack of responsiveness to changes in the business environment, with negative impact on the risk profile and consequently on capital, earnings as well as the overall direction and scope of a bank on the long run.

UniCredit Group has in place a Corporate Governance Structure – the system of rules and procedures that serve as guidelines for the conduct of the company in carrying out its duties to its stakeholders – that allows the management of Strategic risk at Group level.

To mitigate its strategic risk, UniCredit is strengthening internal risk culture. In this context, an important initiative was the launch of the “Risk Academy”, with the aim of creating a center of risk education excellence for the whole Group.

I

Reputational Risk

Reputational risk is identified as the current or future risk of a decline in profits as a result of a negative perception of the Group’s image by customers, counterparties, bank shareholders, investors or the Regulator.

In 2010 the UniCredit S.p.A. Board of Directors approved the Group Reputational Risk Governance Guidelines, which aim at defining a general set of principles and rules for measuring and controlling reputational risk. The Governance Guidelines were distributed to the UniCredit group Legal Entities for local implementation.

The role of the Group Operational and Reputational Risks department is to:

• develop methodologies for the measurement and control of reputational risk, facilitating the task of identifying, valuing and measuring such risk;

• monitor the implementation – in the Legal Entities – of methodologies of reputational risk (general guidelines for the management and control of reputational risk), defining the tasks to be carried out on a regular basis;

• propose mitigation actions to the competent functions and bodies;

• define the methodology for evaluating the reputational risk of products.

Moreover, the set-up of the “Group Operational and Reputational Risk Committee” ensures consistency in reputational risk policies, methodologies and practices across Divisions, Business Units and Legal Entities, controlling and monitoring the Group Reputational Risk portfolio.

The UniCredit Group is strongly committed to promote sustainable solutions in all its financing and investment decisions, with particular attention to the reputational implications. Any transaction undertaken must seek to minimize environmental, social and reputational risk.

The Transactional Credit Committees are in charge of evaluating possible reputational risks inherent in transactions, as defined by the current reputational risk Global Rules.

In order to protect the UniCredit Group from reputational risk-taking, in addition to the already existing Group Reputational Risk Governance Guidelines the following policies in specific sectors are in place: “Defense/Weapons”, “Nuclear Energy”,

“Non-cooperative Jurisdictions”, “Mining” and “Water Infrastructures (dams)”.

Finally, the Human Rights Commitment document aims to identify and manage human rights risks and reduce potential human rights violations.

37

Internal Capital is the capital needed to face the potential losses inherent in the Group’s business activities and it takes into consideration all risk types identified by the Group as quantifiable in terms of Economic Capital in line with Pillar II

requirements (credit, market, operational, business, financial investment and real estate risks, including the effects of diversification between risk types (‘interdiversification’) and within each portfolio type (‘intradiversification’) and a prudential cushion for the model risk and the variability of the economic cycle).

Internal Capital is calculated using the Bayesian Copula approach for aggregation with a one-year time horizon and a confidence level in line with the Group rating target. The distribution of correlation matrixes that represents the dependence structure between risks is achieved combining expert opinions with empirical correlation coefficient calculated relying on the time series of specific risk factors.

For control purposes, Internal Capital is calculated quarterly or ad hoc if needed; it is also projected for budgeting purposes.

The multi-dimensional nature of risk makes it necessary to supplement the measurement of economic capital with stress testing, not only in order to estimate losses in certain scenarios, but also to ascertain the impact of their determinants.

Stress testing is a key risk management tool for the management of the relevant risks in order to assess the bank's vulnerability with respect to exceptional but plausible events, providing additional information to the monitoring activities.

Stress testing activities, consistently with regulatory requirements, are performed on the basis of a set of internally defined stress scenarios, including the main regions where the Group is present, and are carried out at least twice a year.

As part of the risk measurement activities performed for Pillar 2 purposes, firm-wide stress test considers the various impacts of a given macro-economic scenario on all relevant risks, in order to deliver a complete and holistic picture of the institution’s reaction to stressed conditions.

The firm-wide stress scenario is drawn analyzing both significant market events happened in the past and plausible worst-case events not yet occurred.

Stress testing is carried out on both individual risk types and their aggregation, providing as output conditional losses and stressed economic capital. The combined stress test calculation covers the changes on the amount of the individual risk types and of the diversification benefit in crisis conditions.

The Group top management is involved in the ex-ante as well as the ex-post stress analysis in the following way:

• before the exercise is finalized, with a presentation regarding the selected scenarios and the underlying assumptions

• after the exercise is finalized, with the disclosure of the results and a potential discussion of a contingency plan, if needed.

The adequacy of the risk measurement methodologies supporting the ICAAP, including stress testing and risk aggregation, is checked by internal validation.

Under the corporate governance system, the Parent Company’s Group Risk Management is responsible for the Group Economic and Internal Capital methodology development and their measurement, moreover the Parent Company is responsible to set and implement the Group related processes.

The "Group Rules", after the approval, are sent to relevant LEs for approval and implementation.

Documento similar