1

RISKS

IDENTIFICATION, MEASUREMENT, MANAGEMENT, CONTROL AND INTERNAL COMMUNICATION OF

RISKS TO WHICH ARE OR MAY BE EXPOSED THE ENTITY.

Seeking to achieve excellence in risk management has been a priority for Grupo Santander throughout
its 160 year history.

Risk management is one of the key functions in ensuring that the Group remains a robust, safe and
sustainable bank, trusted by its employees, customers, shareholders and society as a whole.

The risk function is based on the following pillars, which are aligned with Grupo Santanders strategy
and business model, and incorporate the recommendations of supervisory bodies, regulators and best
Banco Santander, S.A. - Domicilio Social: Paseo de Pereda, 9-12. 39004 SANTANDER - R.M. de Santander, Hoja 286, Folio 64, Libro 5 de Sociedades, Inscripcin 1. C.I.F.A-39000013

practices in the market:

1. The business strategy is defined by the risk appetite. The board of Grupo Santander determines
the quantity and type of risk it considers reasonable to assume in the execution of its business
strategy and to create targets that are objective, comparable and consistent with the risk appetite
for each key activity.

2. All risks have to be managed by the units which generate them using advanced models and tools
and integrated in the different businesses. Grupo Santander is promoting advanced risk
management using models and innovative metrics, and also a control, reporting and escalation
framework in order to pinpoint and manage risks from different standpoints.

3. The forward-looking approach for all risk types must be part of the risk identification, assessment
and management processes.

4. The independence of the risk function encompasses all risks and provides an appropriate
separation between the risk generating units and units responsible for controlling these risks. It
implies that the risk function should also have sufficient authority and direct access to management
and governance bodies which are responsible for establishing and overseeing risk strategy and
policies.

5. Risk management has to have the best processes and infrastructures. Grupo Santander aims to be
a benchmark model in developing risk management support infrastructure and processes.

6. A risk culture which is integrated throughout the organisation, composed of a series of attitudes,
values, skills and guidelines for action to cope with all risks. Grupo Santander believes that
advanced risk management cannot be achieved without a strong and steadfast risk culture which is
found in each and every one of its activities.

Ciudad Grupo Santander

28660 Boadilla del Monte (Madrid)
 2

The Groups risk management model establishes a control environment which ensures the risk profile is
maintained within the levels set in the risk appetite and other limits.

The main elements that ensure effective control are:

Robust governance, with a clear committee structure that separates decision making, on one side,
from risk control, on the other, all encompassed and developed within a solid risk culture.
A set of key, inter-related processes in the planning of the Groups strategy (budget processes, risk
appetite, regular assessment of liquidity and capital adequacy, and recovery and resolution plans).
Aggregated supervision and consolidation of all risks.
Regulatory and supervisory requirements are incorporated into day-to-day risk management.
Banco Santander, S.A. - Domicilio Social: Paseo de Pereda, 9-12. 39004 SANTANDER - R.M. de Santander, Hoja 286, Folio 64, Libro 5 de Sociedades, Inscripcin 1. C.I.F.A-39000013

Independent assessment by internal audit

Decision making based on appropriate management of information and technological infrastructure.

The elements enabling adequate assessment, measurement, management, control and

communication of all these risks derived from Grupo Santanders activity are set out below.

1. Risks map
Identifying and evaluating all risks is a corner stone for controlling and managing risks. The risks map
covers the main risk categories in which Grupo Santander has its most significant exposures, current
and/or potential, facilitating this identification.
The risks map covers financial risks, non-financial risks and transversal risks, more details in captulo de
riesgos del informe anual.

2. Risk governance

The governance of the risk function should safeguard adequate and efficient decision making and
effective risk control, and ensure that they are managed in accordance with the risk appetite defined by
the Groups senior management and its units, as applicable.

For this purpose, the following principles are established:

Segregation between risk decisions and control.
Stepping up the responsibility of risk generating functions in the decision making process.
Ensuring that all risks decisions have a formal approval process.
Ensuring an aggregate overview of all risk types measured against the Groups aggregate risk
appetite.
Bolstering risk control committees.
Maintaining a simple committee structure.

Ciudad Grupo Santander

28660 Boadilla del Monte (Madrid)
 3

3. Management processes and tools

Risk appetite and structure of limits

Santander defines risk appetite as the amount and type of risks considered reasonable to assume for
implementing its business strategy, so that the Group can maintain its ordinary activity in the event of
unexpected circumstances. Severe scenarios are taken into account that could have a negative impact
on the levels of capital, liquidity, profitability and/or the share price.

The board is responsible for annually setting and updating the risk appetite, monitoring the Banks risk
profile and ensuring consistency between both of them.

The risk appetite is set for the whole of the Group as well as for each of the main business units in
Banco Santander, S.A. - Domicilio Social: Paseo de Pereda, 9-12. 39004 SANTANDER - R.M. de Santander, Hoja 286, Folio 64, Libro 5 de Sociedades, Inscripcin 1. C.I.F.A-39000013

accordance with a corporate methodology adapted to the circumstances of each unit/market. At the
local level, the boards of the subsidiaries are responsible for approving the respective risk appetite
proposals once they have been validated by the Group.

Risk Identification and Assessment (RIA)

Banco Santander, as part of its routine management, identifies and assesses the risks to which it is
exposed in the countries in which it operates, and which are inherent in its activity, and to meet the
regulatory requirements.

Consequently the Group makes a corporate Risk Identification & Assessment exercise that assess the
risk profile of the Group, its units and the most important risk types.

RIA analiza su evolucin e identifica reas de mejora en cada uno de los bloques que lo componen:
Risk performance, enabling understanding of residual risk by risk factor through a set of metrics
calibrated.
Assessment of the control environment, measuring the implementation of a target management
model, pursuant to advanced standards.
Forward-looking analysis of the unit, based on stress metrics and/or identification and/or
assessment of the main threats to the strategic plan (Top Risks).
Analysis of scenarios

Banco Santander conducts advanced management of risks by analysing the impact that different
scenarios could provoke on the environment in which the Bank operates. These scenarios are expressed
both in terms of macroeconomic variables as well as other variables that affect management.

The robustness and consistency of scenario analysis exercises are based on the following pillars:
Developing and integrating mathematical models that estimate the future evolution of metrics (for
example, credit losses), based on both historic information (internal to the Bank and external from
the market), as well as simulation models.
Including the expert judgement and know-how of portfolios, questioning and back testing the result
of the models.
The backtesting of the results of the models against the observed data, ensuring that the results are
adequate.

Ciudad Grupo Santander

28660 Boadilla del Monte (Madrid)
 4

The governance of the whole process, covering the models, scenarios, assumptions and rationale for the
results, and their impact on management.

Reporting

Grupo Santander has developed and implemented the necessary structural and operating
improvements to reinforce and consolidate enterprise wide risk, based on complete, precise and regular
data. This allows the Groups senior management to assess risk and act accordingly.

Against this background, Santander believes that regulatory requirements are aligned with the strategic
risk transformation plan, and hence at the current date the Group complies with the standards set forth
in the BCBS1 239 regulation.
Banco Santander, S.A. - Domicilio Social: Paseo de Pereda, 9-12. 39004 SANTANDER - R.M. de Santander, Hoja 286, Folio 64, Libro 5 de Sociedades, Inscripcin 1. C.I.F.A-39000013

Risks reports contain an appropriate balance between data, analysis and qualitative comments, include
forward-looking measures, risk appetite data, limits and emerging risks, and are distributed in due time
and form to senior management.

The Group applies a common reporting taxonomy which covers all the significant risk areas within the
organisation, and which is in keeping with the Groups size, risk profile and activity.

For details of the issues discussed above, see chapter 5 of the annual report. Likewise, the evolution of
the risk profile is available on a regular basis in the quarterly financial report
(http://www.santander.com).

1
Basel Committee on Banking Supervision.

Ciudad Grupo Santander

28660 Boadilla del Monte (Madrid)