Recomendaciones y Perspectivas a Futuro

129 129 137

143 145

150 150 151

153 155 157 158 158

161

161 162 163 10. LIQUIDITY AND FUNDING RISK

10.1. Balance sheet analysis and liquidity risk measurement 10.2. Funding strategy and evolution

of liquidity in 2013

11. OPERATIONAL RISK

11.1. Definition and objectives 11.2. Information used 11.3. Corporate governance

and organisational model 11.4. Limits for considering operational

loss events in the database 11.5. Evolution of the main metrics 11.6. Mitigation measures

11.7. Business Continuity Plan 11.8. Other aspects of operational

risk control and monitoring

12. COMPLIANCE AND REPUTATIONAL RISK 12.1. Definitions and objective

12.2. Corporate governance and organisational model 12.3. Risk appetite model 12.4. Risk management model

6. RISKS

6.1. Corporate risk management principles

This chapter describes the basic principles governing risk management in the Santander Group, summarises the main functions assigned to the board risk

committee and explains the corporate governance of the risk function, showing its organisational structure.

The Santander Group’s risk policy is aimed at maintaining a predictable, medium-low overall risk profile. The Group’s risk management model is a key factor for the achievement of the Group’s strategic objectives.

Santander’s risk management model, which underlies the business model, is based on the following principles:

• Independence of the risk function with respect to the business. The head of the Group’s risk division, as second vice-chairman and chairman of the board risk commit-tee, reports directly to the executive committee and the board. To ensure that the risk function has the necessary independence and autonomy to adequately control risk, a clear separation of functions is established between the business areas and the risk areas responsible for measur-ing, analysmeasur-ing, monitoring and reporting risk.

• Direct involvement of senior management in decision making.

• Collegial decision-making to ensure that opinions are challenged and avoid having complete decision authority assigned to individuals, even at branch level. Sharing of responsibility for credit approval decisions between risk areas and commercial areas, with Risks having the final decision in the event of disagreement.

• Assignment of authority. Each credit approval or risk management unit has clear instructions on the types of activities and segments it may engage in, the risks its may take, and the decisions it may make in relation to risk, depending on the level of authority delegated to it. There are also clearly stated rules on how transactions are to be executed and managed and in which unit they are to be booked.

• Corporate control. Risk control and risk management are integrated through a corporate risk management struc-ture, with global responsibilities (all risk, all business, all geography).

Risk management and risk control in the Santander Group are conducted as follows:

• Setting of the risk appetite, so as to succinctly and explic-itly define the levels and types of risk the entity is willing to take in the conduct of its business.

• Establishment of risk policies and procedures, which pro-vide the basic framework for regulating risk activities and processes. The local risk units mirror the corporate struc-tures in order to transpose the corporate risk rules into their internal policies.

• Application of corporate methodological guidelines to the construction, independent validation and approval of risk models. These models make it possible to systematise not only risk origination processes but also risk monitor-ing and risk recovery, the calculation of expected loss and necessary capital, and the assessment of the products in the trading book.

• Implementation of a risk monitoring and control system which on a daily basis measures Santander’s current risk profile against the approved risk policies and established limits and generates reports.

6.2. Corporate governance of the risk function

The board risk committee is responsible for making propos-als to the board regarding the Group’s risk policy, approval of which is part of the board’s administrative and supervi-sory role.

The committee also ensures that the Group’s activities are consistent with its risk tolerance level and establishes the global limits for the main risk exposures, reviewing them systematically and resolving any transactions that exceed the powers delegated to bodies lower down the hierarchy.

The board risk committee, which has executive powers and adopts decisions within the scope of the authority delegat-ed to it by the board, is chairdelegat-ed by the second vice-chairman of the Santander Group and also includes four directors of the Bank.

During 2013 the board risk committee met 97 times, under-scoring the importance the Santander Group attaches to proper risk management.

The main responsibilities of the board risk committee are as follows:

• Propose to the board the Group’s risk policy, which must identify, in particular:

• The different types of risk (financial, operational, tech-nological, legal and reputational, among others) to which the Group is exposed.

• The information and internal control systems that will be used to control and manage these risks.

• The level of risk the Bank considers acceptable.

• The measures in place to mitigate the impact of the identified risks, should any of them materialise.

• Systematically review exposures to the main customers, economic sectors, geographic areas and risk types.

• Authorise management tools and risk models, and receive internal validation reports on these tools and models.

• Monitor the Group’s actions to ensure that they are con-sistent with the Group’s risk appetite.

• Be informed of, assess and monitor the comments and recommendations issued from time to time by the super-visory authorities in the exercise of their function.

• Decide on any transactions that exceed the scope of the authority delegated to lower levels and set overall pre-classification limits for economic groups or for exposures by risk class.

The board risk committee delegates some of its powers to risk committees for particular geographic areas, businesses and risk types, all of which are defined in the risk govern-ance model.

In addition, both the executive committee and the board of directors of the Bank pay special attention to the manage-ment of the Group’s risks.

The board of directors will submit to the 2014 annual gen-eral meeting a proposal for an amendment to the bylaws to provide for the creation of a new committee to advise the board on risk policy and risk oversight matters, in compli-ance with the recent capital requirements directive (CRD IV).

Once this committee has been created, the board risk com-mittee will retain its risk management competencies.

The Group’s second vice-chairman is the chief risk officer.

The chief risk officer (CRO) is a member of the board of di-rectors and chairman of the board risk committee. The CRO is supported by two risk management units, which are ad-ministratively and functionally independent of the business areas. These units are organised and function as follows:

• The General Directorate of Risk (GDR) handles the execu-tive functions of credit and financial risk management and control of other risks (mainly IT, operational and compli-ance) and is organised by customer, activity and geogra-phy, so as to match the structure of the business (global/

local vision).

The areas covered by the GDR are divided into three blocks:

• A management structure for the management and con-trol of financial risks (credit, market and structural) and the control of other risks. This includes the following ar-eas: loans to individuals, business loans, credit approval and monitoring, market and structural risks and control of non-financial risks.

• A management structure for the businesses, which performs the risk function in the Group’s global and local businesses. This block includes the following ar-eas: management of the risks of Santander Consumer Finance, management of the risks of global businesses, and asset recovery and clean-up.

• A management structure for the establishment of frameworks and the development and implementation of models and IT infrastructure. This includes the follow-ing areas: risk policies, risk information methodology and management.

The above structure is supplemented by a planning and gov-ernance area, which is responsible for the coordination of new projects and the internal management of all the units;

and a supervision and risk consolidation area, which has an oversight role, supervising all risks on a consolidated basis.

These functions act on a global level, that is to say, they play a role in all the units over which the risk division exercises control; and the same functional structure is mirrored in the local units. The main mechanism through which the global functions are replicated in each unit is the “corporate

frame-works”. As the corporate frameworks are applied in all the local units, they are key to communicating and transferring global practices, reflecting the action criteria and policies for each area and setting the Group’s compliance standards.

In general terms, a distinction can be drawn between the main functions performed by the GDR’s global areas and those performed by the units:

• The GDR establishes the risk policies and criteria, the overall limits, and the decision and control processes;

generates management frameworks, systems and tools;

and adapts banking industry and local unit best prac-tices for application in the Group.

• The local units apply the policies and systems to the lo-cal market; adapt their organisation and management frameworks to the corporate frameworks; provide criti-cal feedback and best practices; and lead locriti-cal projects.

• The General Directorate of Integral Risk Control and In-ternal Validation has global corporate responsibilities and supports the Group’s governance bodies. This directorate is made up of the following departments:

• Internal validation of credit, market and economic capital risk models, aimed at assessing the models’ fitness for management and regulatory purposes. Validation involves reviewing each model’s theoretical foundations, the qual-ity of the data used to build and calibrate the model, how the model is used, and the associated governance process.

• Integral risk control, whose mission is to oversee the qual-ity of the Group’s risk management, so as to ensure that the systems for managing and controlling the various risks inherent in the Group’s activity meet the most stringent criteria and follow industry or regulatory best practices, checking that the actual risk profile matches the risk ap-petite established by senior management.