BPCE - 2018 Registration document

RISK REPORT Risk governance and management system

Training programs A large number of training programs and materials were rolled out or enhanced in 2018: annual training plan for the Group Risk and Compliance function: ● the “risk and compliance academy”; roll-out at all Group institutions of the banking risk awareness quiz, ● called “Risk Pursuit”, designed in gaming format and available for multiple devices, including tablets; design of the training materials on the Group code of conduct and ● ethics; launch of the three-day Compliance training course for the Risk, ● Compliance and Audit functions; All credit, financial and non-financial risks, including non-compliance risks, are covered by central and local mechanisms serving to ensure the adequacy of risk management systems linked to Groupe BPCE’s risk appetite and strategy. Groupe BPCE’s Supervisory Board unanimously approved Groupe BPCE’s risk appetite framework at its meeting of June 19, 2015. In addition, at its meeting of July 30, 2015, Groupe BPCE’s Supervisory Board unanimously approved the quantitative indicators used for Groupe BPCE’s risk appetite and the associated governance framework, and approved the resilience limit for each of the indicators. The most recent annual review of the Group’s risk appetite was conducted by Groupe BPCE’s Supervisory Board on November 6, 2018 to unanimous approval. RISK APPETITE As a decentralized and united cooperative group, Groupe BPCE structures its activity around share capital, held predominantly by the regional institutions, and centralized market funding optimizing the resources allocated to the entities. Groupe BPCE: through its cooperative nature, is firmly committed to generating ● recurring and resilient income for its cooperative shareholders and investors by offering the best service to its customers; must preserve the solvency, liquidity and reputation of each Group ● entity – a duty assumed by the central institution through the oversight of consolidated risks, a risk policy and shared tools; consists of regional entities and banks, which own the Group and ● its subsidiaries. In addition to normal management operations, in the event of a crisis, solidarity mechanisms between Group entities ensure the circulation of capital and prevent the entities or the central institution from defaulting; focuses on the structural risks of its full-service banking business ● model, with a predominant retail banking component in France, while incorporating other business lines necessary to provide quality service to all of its customers; diversifies its exposures by developing certain activities in line with ● its strategic plan: development of the bancassurance and asset management - businesses, 6.4.2

establishment of a new risk and compliance training program ● specifically designed for inspectors of the Group’s Inspection Générale division. Coordination and exchange of best practices Coordination of credit exposure managers, initially rolled out on the Banque Populaire network in 2017, expanded to include the Caisse d’Epargne network and the subsidiaries. Measurement of risk management and compliance culture at Group institutions A project is under way to establish a self-assessment system via risk management and compliance culture indicators at Group institutions, and is scheduled to be launched in 2019. international expansion (predominantly corporate & investment - banking and asset management, with a more targeted approach for retail banking customers). In terms of risk profile, Groupe BPCE incurs risks intrinsically associated with its retail banking and corporate & investment banking activities. Risk profile The following risks are incurred by the Group because of its business model: credit risk generated by the Group’s predominant business, i.e. ● lending to individual and corporate customers, which is managed under risk policies applied to all Group entities, concentration limits defined by counterparty, country and sector, and finally extensive oversight of loan books; structural interest rate risk, primarily linked to fixed-rate home ● loans and regulated liabilities. It is managed under group-wide standards and limits set for each entity; liquidity risk, steered centrally by allocating budget-defined ● liquidity to round out customer deposits raised by the entities; non-financial risks, managed under group-wide standards. These ● standards cover non-compliance, fraud, information system security and misconduct risks, as well as other operational risks. Accordingly: operational risks are subject to groupwide data collection - standards applicable to all Group entities, tools used to annually map out operational risks and report associated losses and incidents as they arise, monitor major risks, and monitor action plans targeting specific risks, non-compliance risks are governed by permanent controls based - on groupwide standards, a software tool used to consolidate data at Group level, compliance-specific governance and group-wide principles aimed at mitigating these risks. Finally, aligning the requirements of individual customers (cooperative shareholders whose funds comprise the Group’s share capital) and credit investors necessitates very strong aversion to reputational risk.

Groupe BPCE’s risk management system

6

633

Registration document 2018