BPCE - 2018 Registration document

RISK REPORT Non-compliance, security and operational risks

Operational risks 6.11.5

ORGANIZATION The Group Operational Risk department (DROG), part of the Risk, Compliance and Permanent Control division, is in charge of identifying, measuring, monitoring and managing the operational risks incurred in all activities and functions undertaken by Group institutions and subsidiaries. The operational risk system consists of: central organization and a network of operational risk managers ● and officers, working in all activities, entities and subsidiaries of Group institutions and subsidiaries; a methodology based on a set of standards and an OR tool used ● throughout the Group. The operational risk management system is part of the Risk Assessment Statement (RAS) and Risk Assessment Framework (RAF) systems defined by the Group. These systems and indicators are adapted at the level of each Group institution and subsidiary. The Operational Risk function operates: in all structures consolidated or controlled by the institution or the ● subsidiary (banking, financial, Insurance, etc.); in all activities exposed to operational risks, including outsourced ● activities, within the meaning of Article 10 q and Article 10 r of the Ministerial Order of November 3, 2014 “outsourced activities and services or other critical or essential operational tasks”. The Group Non-Financial Risk Committee (CRNFG) defines the operational risk policy (in accordance with the Risk, Compliance and Permanent Control Charter), rolled out to the institutions and subsidiaries, and the DROG ensures that the policy is applied throughout the Group. BPCE’s Operational Risk function ensures that the structure and systems in place at the institutions and subsidiaries allow them to achieve their objectives and fulfill their duties. To that end, it: coordinates the function and performs risk supervision and controls ● at the institutions/subsidiaries and their subsidiaries, on an individual and consolidated basis. To that end, it determines Group standards and methods, in coordination with the institutions and subsidiaries, and disseminates methodologies to be applied, standard controls to be performed and best practices; centralizes and analyzes the Group’s exposure to non-financial ● risks, verifies the implementation of corrective actions decided by the Operational Risk Committee, and reports any excessive implementation times to senior management; performs controls to ensure that Group standards and methods are ● observed by the institutions and subsidiaries; performs a regulatory watch, distributes and relays operational risk ● alerts due to incidents with the potential to spread to the appropriate institutions/subsidiaries; prepares reports, by institution or subsidiary, for the Group and the ● regulatory authorities (COREP OR), analyzes the reports and content of the OR committees of the institutions and subsidiaries, and notifies the Group Non-Financial Risk Committee of any inadequate systems and/or excessive risk exposure, which in turn notifies the institution in question.

ACTIVITIES IN 2018 The fiscal year saw the appropriation of a new OR tool and the new methodology by all Group institutions, along with new and revised standards, procedures and working methods defining rules and a forward-looking operational risk management methodology. This tool offers data consolidation and forward-looking management of OR exposure. The scope and methodology of operational risk-mapping were revised to measure entity risk exposure in greater detail. This new methodology is part of the Group’s permanent control system and includes the operational risk, compliance, information system security, personal and property safety and permanent control functions. Measurement of risk exposure is based on a forward-looking model, which quantifies and classes risk scenarios and thus provides the Non-Financial Risk Committees with the necessary elements to define their risk tolerance. The system was rounded out with an overhaul of predictive risk indicators. These indicators are produced from the main risks identified in the non-financial risk map. Finally, risk supervision and monitoring were improved through the drafting of reports aimed at providing a uniform measurement of the entire Group’s risk exposure and cost of risk. The OR function’s production staff perform two types of Level 2 controls on operational risks: Comprehensive automated controls: ● each month, the OR teams of Group institutions receive an OR - system control report, generated automatically and addressed to the institutions and subsidiaries by the central institution. this report covers any discrepancies in terms of operational risk - standards within the scope of the various issues of operational risk management: organizational structure of OR management, incidents, risk mapping, predictive risk indicators, corrective actions. the results of the controls, and the corrections made by the OR - teams, are regularly presented to the Group Non-Financial Risk Committee. Manual sample-based controls: ● the Groupe BPCE OR division and Natixis Group Risk division - perform Level 2 controls of the Operational Risk function. these controls are based on the institutions’ OR system control - reports and thus cover the same scope as the reports: OR system, incidents, risk mapping, predictive risk indicators, corrective actions. the results of the Level 2 controls are recorded in the permanent - control tool by the Groupe BPCE OR division. Operational risk oversight Operational risk oversight within the Group is coordinated at two levels: At the level of each Group institution: ● The Operational Risk Committee, whose meetings are prepared by the Operational Risk function, may be combined with the Non-Compliance Risk Committee to form a Compliance and

6

689

Registration document 2018