BPCE - 2018 Risk report / Pillar III

NON-COMPLIANCE, SECURITY AND OPERATIONAL RISKS Operational risks

Operational risks 11.5

Organization The Group Operational Risk department (DROG), part of the Risk, Compliance and Permanent Control division, is in charge of identifying, measuring, monitoring and managing the operational risks incurred in all activities and functions undertaken by Group institutionsand subsidiaries. The operationalrisk system consistsof: central organization and a network of operational risk managers ● and officers, working in all activities, entities and subsidiaries of Group institutionsand subsidiaries; a methodology based on a set of standards and an OR tool used ● throughoutthe Group. The operational risk management system is part of the Risk Assessment Statement (RAS) and Risk Assessment Framework (RAF) systems defined by the Group. These systems and indicators are adapted at the levelof each Group institution and subsidiary. The OperationalRisk function operates: in all structuresconsolidatedor controlledby the institutionor the ● subsidiary (banking, financial, Insurance, etc.); in all activities exposed to operational risks, including outsourced ● activities,within the meaningof Article 10 q and Article 10 r of the Ministerial Order of November 3, 2014 “outsourced activities and services or other critical or essential operationaltasks”. The Group Non-Financial Risk Committee (CRNFG) defines the operationalrisk policy (in accordancewith the Risk, Complianceand Permanent Control Charter), rolled out to the institutions and Activities in 2018 The fiscal year saw the appropriationof a new OR tool and the new methodology by all Group institutions, along with new and revised standards, procedures and working methods defining rules and a forward-lookingoperationalrisk managementmethodology.This tool offers data consolidation and forward-looking management of OR exposure. The scope and methodologyof operationalrisk-mappingwere revised to measure entity risk exposure in greater detail. This new methodology is part of the Group’s permanent control system and includes the operational risk, compliance, information system security, personal and property safety and permanent control functions. Measurementof risk exposure is based on a forward-lookingmodel, which quantifies and classes risk scenarios and thus provides the Non-FinancialRisk Committeeswith the necessaryelementsto define their risk tolerance. The system was rounded out with an overhaul of predictive risk indicators. These indicators are produced from the main risks identified inthe non-financialrisk map.

subsidiaries, and the DROG ensures that the policy is applied throughoutthe Group. BPCE’s Operational Risk function ensures that the structure and systems in place at the institutions and subsidiaries allow them to achieve their objectivesand fulfilltheir duties.To that end, it: coordinatesthe functionand performsrisk supervisionand controls ● at the institutions/subsidiaries and their subsidiaries, on an individual and consolidatedbasis. To that end, it determinesGroup standards and methods, in coordination with the institutions and subsidiaries, and disseminates methodologies to be applied, standard controls to be performed and best practices; centralizes and analyzes the Group’s exposure to non-financial ● risks, verifies the implementationof corrective actions decided by the Operational Risk Committee, and reports any excessive implementationtimes to senior management; performs controls to ensure that Group standardsand methods are ● observed by the institutions and subsidiaries; performs a regulatorywatch, distributesand relays operationalrisk ● alerts due to incidents with the potential to spread to the appropriate institutions/subsidiaries; prepares reports, by institutionor subsidiary,for the Group and the ● regulatoryauthorities(COREPOR), analyzesthe reports and content of the OR committees of the institutions and subsidiaries, and notifiesthe Group Non-FinancialRisk Committeeof any inadequate systems and/or excessive risk exposure, which in turn notifies the institution inquestion. Finally, risk supervision and monitoring were improved through the drafting of reports aimed at providinga uniformmeasurementof the entire Group’s risk exposure and cost of risk. The OR function’s production staff perform two types of Level 2 controls onoperationalrisks: Comprehensive automated controls: ● each month, the OR teams of Group institutions receive an OR - system control report, generated automaticallyand addressed to the institutionsand subsidiaries by the central institution. this report covers any discrepanciesin terms of operational risk - standards within the scope of the various issues of operational risk management: organizational structure of OR management, incidents, risk mapping, predictive risk indicators, corrective actions. the results of the controls, and the correctionsmade by the OR - teams, are regularly presented to the Group Non-FinancialRisk Committee. Manual sample-based controls: ● the Groupe BPCE OR division and Natixis Group Risk division - perform Level 2 controls of the OperationalRisk function.

11

207

Risk Report Pillar III 2018