BPCE - 2018 Registration document

6 RISK REPORT

Risk governance and management system

RISK AND COMPLIANCE FUNCTIONS Groupe BPCE’s Risk, Compliance and Permanent Control division (DRCCP) oversees the Group’s risk management, compliance and permanent control functions, focusing on the management of credit, financial, operational and non-compliance risks, extended to business continuity and Financial Audit functions, and information system security. It ensures that the risk policies of the affiliates and subsidiaries comply with those of Groupe BPCE. The Risk Management and Compliance departments of the Banque Populaire banks and Caisses d’Epargne are functionally subordinate to Groupe BPCE’s Risk Management division, as are those of subsidiaries including Natixis, Crédit Foncier, Banque Palatine and BPCE International. The Risk Management and Compliance departments of subsidiaries not subject to the banking supervision regulatory framework are functionally subordinate to Groupe BPCE’s DRCCP. Group institutions are responsible for defining, monitoring and managing their risk levels, as well as producing reports and data for submission to the central institution’s DRCCP. They ensure the quality, reliability and completeness of the data used to control and monitor risks at the company level and on a consolidated basis, in line with Group risk standards and policies. In the course of their work, the Group’s institutions rely on the Group Risk, Compliance and Permanent Control Charter. The charter specifies that each institution’s supervisory body and executive managers promote the risk management culture at all levels of their organization. The Group Risk, Compliance and Permanent Control division (DRCCP) coordinates and oversees all Groupe BPCE Risk and Compliance functions. The Risk, Compliance and Permanent Control Charter calls for the DRCCP to participate, at its own initiative, in the annual performance assessment of the heads of the permanent control functions, particularly risk and/or compliance, in consultation with the Chairman of the Management Board or the Chief Executive Officer. More specifically, to coordinate cross-business projects, the DRCCP relies on the Governance and Coordination department. This department also handles day-to-day coordination of the entire system, which is supported by the functional subordination of the institutions’ Risk Management and Compliance divisions to Groupe BPCE’s Risk, Compliance and Permanent Control division, and contributes to the overall monitoring of Group risk, mainly through: oversight and updates of key Risk and Compliance function ● documents such as charters and standards; Executive Committee analyses of risks incurred by the Banque ● Populaire banks, the Caisses d’Epargne and the subsidiaries; coordination of Risk Management and Compliance function events ● through a series of national Risk Management and Compliance Days, including discussions and exchanges on risk- and compliance-related issues, presentations on the work done by the functions, training and sharing of best practices in the credit, financial, operational and compliance fields between all Group institutions. Risk Management and Compliance Days also provide opportunities to strengthen group-wide solidarity in the risk management and/or compliance professions in today’s ever-changing regulatory environment. In addition, audioconferences and regional meetings are attended by the Heads of Risk Management and Compliance of the networks and subsidiaries to address current topics and events; GOVERNANCE AND COORDINATION Organization

a document library dedicated to the risk, compliance and ● permanent control functions; operational efficiency initiatives (headcount benchmark standards, ● risk and compliance half-year reporting, risk appetite framework and institution macro-level risk mapping); oversight of all recommendations issued by the supervisory ● authorities and by the Group’s Inspection Générale division covering Risks, Compliance and Permanent Control; support for new Heads of Risk Management and/or Compliance of ● Groupe BPCE institutions via a special program; frequent on-site meetings with the Heads of Risk Management ● and/or Compliance and teams of the Banque Populaire banks and the Caisses d’Epargne; in addition to the operational committee meetings attended by the ● Group DRCCP, general meetings held with each of the main BPCE subsidiaries (Natixis, Crédit Foncier, Banque Palatine and BPCE International) for a comprehensive review with the Head of DRCCP; distribution of a newsletter (“Mag R&C”) to the heads of Group ● institutions, the heads of the various functions (including Sales) and the employees of the Risk, Compliance and Permanent Control functions, as well as all Group employees. Rounding out these communications, two additional letters are sent out more frequently: one summarizing regulatory changes and another summarizing the work conducted by all Group Risk, Compliance and Permanent Control departments; an annual training program offered to all Risk and Compliance ● function employees, in conjunction with the Group Human Resources division. In addition, a university training course on “internal control and risk management at financial institutions” is given at Université Paris-Dauphine. Participants earn a degree upon successful completion of the course. Two workshops focused on compliance and permanent control have also been added; and, in general, the practice of risk and compliance awareness and ● sharing of best practices throughout the Group, in particular via a digital document library (the “Kiosk”) for all employees of the Group Risk, Compliance and Permanent Control functions. The Regulation division conducts a regulatory watch covering the scope of the DRCCP and assists in Group projects involving a regulatory component. It participates in industry-wide efforts in coordination with the Group’s other Regulatory divisions. The division also dispenses training and organizes awareness-building campaigns for Group employees on regulatory issues. It supports the institutions during on-site audits conducted by the supervisory authorities, particularly those addressing compliance issues. The Supervision division is tasked with coordinating all dealings with supervisory bodies, working closely alongside the Group’s Inspection Générale division. This primarily concerns the relationship with the European Central Bank and the Joint Supervisory Team in charge of the continuous supervision of Groupe BPCE, as well as the ACPR and the other French supervisory (AMF) or regulatory authorities (Banque de France, French Treasury department), and foreign authorities ( e.g. US Federal Reserve). The team attends all supervisory meetings within the Risk and Compliance scope. It also follows up on the primary on-site audits conducted by the supervisory bodies and the resulting recommendations. Finally, it coordinates all ad hoc or one-time requests received from the ECB or ACPR by the central institution. For coordination purposes, the DRCCP relies on a half-yearly report drawn up by the institutions, aimed at ensuring that the various components of the local systems are properly implemented and operate under satisfactory conditions, particularly with respect to

630

Registration document 2018