BPCE - 2018 Registration document

6 RISK REPORT

Non-compliance, security and operational risks

INCIDENT AND LOSS DATA COLLECTION Incident data are collected to build knowledge of the cost of risks, continuously improve management systems, and meet regulatory objectives. An incident log (incident database) was created to: broaden risk analysis and gain the knowledge needed to adjust ● action plans and assess their relevance; produce COREP regulatory half-year operational risk statements; ● produce reports for the executive and governing bodies and for ● non-management personnel; establish a record that can be used for operational risk modeling. ● Incidents are reported as they occur, as soon as they are detected, in accordance with Group procedure. OPERATIONAL RISK OVERSIGHT Mapping The operational risk management system relies on a mapping process which is updated annually by all Group entities. Mapping enables the forward-looking identification and measurement (using expert opinion and combined with quantitative analysis which includes scenarios taken from external events) of high-risk processes. For a given scope, it allows the Group to measure its exposure to risks for the year ahead. This exposure is then assessed and validated by the relevant committees in order to launch action plans aimed at reducing exposure. The mapping scope includes emerging risks, IS risks (including cyber risk), and non-compliance risks. This same mapping mechanism is used during the Group’s ICAAP to identify and measure its main operational risks. The operational risk map also serves as a basis for the macro-level risk mapping campaign covering the institutions, and thus for the Group overall. Action plans and monitoring of corrective actions Corrective actions are implemented to reduce the frequency, impact or spread of operational risks. They may be introduced following operational risk mapping, breaches of risk indicator thresholds or specific incidents. Progress on key actions is monitored by each entity’s Operational Risk Management Committee. At Group level, progress on action plans for the principal risk areas is also specifically monitored by the Non-Financial Risk Management Committee.

Operational Risk Committee. For Group governance purposes, it can also be a sub-committee of the Executive Risk Committee. This committee is responsible for adapting the operational risk management policy and ensuring the relevance and effectiveness of the operational risk management system. Accordingly, it: examines major and recurring incidents (and validates corrective - actions to be taken), determines risk tolerance (based on the Top 10 risks: 99.9% VaR exposure, 95% VaR exposure and expected losses), validates the local OR risk mapping campaign and decides on corrective actions aimed at reducing exposure to excessive risks; examines indicator breaches, decides on corrective actions to be - taken, and monitors progress on risk mitigation initiatives following major incidents and risks deemed excessive (determined from the risk-mapping campaign) or decided after thresholds have been breached; is notified in the event of excessive delays in implementing corrective actions; examines permanent controls carried out by the Operational Risk - function and in particular any excessive delays in implementing corrective actions; helps organize the network of operational risk officers, monitors - awareness-raising and training initiatives, and monitors awareness-raising initiatives specifically targeting a given business line or function; examines, at least twice a year, any incidents liable to trigger - claims (reconciliation between the OR incident database and the local and group claim databases) to highlight the net residual loss after the application of Insurance coverage and notes any necessary changes in local Insurance policies; determines if any changes need to be made in local Insurance - policies. The frequency of meetings depends on the intensity of the institution’s risks, in accordance with three operational schemes reviewed once a year by the CRNFG and communicated to the entities. At Groupe BPCE level: ● The committee meets quarterly and is chaired by a member of the Executive Management Committee. Its main duties are to define the OR standard, ensure that the OR system is deployed at the Group entities, and define the Group OR policy. To that end, the committee: examines major risks incurred by the Group and defines its - tolerance level, decides on the implementation of corrective actions affecting the Group and monitors their progress; assesses the level of resources to be allocated; - reviews major incidents within its remit, validates the aggregated - map of operational risks at Group level, which is used for the macro-level risk mapping campaign; monitors major risk positions across all Group businesses, - including risks relating to non-compliance, financial audits, personal and property safety, contingency and business continuity planning, financial security and information system security (ISS); lastly, validates Group RAF indicators related to non-financial - risks as well as their thresholds.

690

Registration document 2018