BPCE - 2018 Risk report / Pillar III

11 NON-COMPLIANCE, SECURITY AND OPERATIONAL RISKS Operational risks

these controls are based on the institutions’ OR system control - reports and thus cover the same scope as the reports: OR system, incidents, risk mapping, predictive risk indicators, corrective actions. the results of the Level 2 controls are recorded in the permanent - control tool bythe Groupe BPCEOR division. Operational risk oversight Operational risk oversight within the Group is coordinated at two levels: At the level of each Groupinstitution: ● The Operational Risk Committee, whose meetings are prepared by the Operational Risk function, may be combined with the Non-Compliance Risk Committee to form a Compliance and OperationalRisk Committee.For Group governancepurposes,it can also be asub-committee of the Executive Risk Committee. This committee is responsible for adapting the operational risk managementpolicy and ensuringthe relevanceand effectivenessof the operationalrisk managementsystem. Accordingly, it: examines major and recurring incidents (and validates corrective - actions to be taken), determinesrisk tolerance (based on the Top 10 risks: 99.9% VaR exposure, 95% VaR exposure and expected losses), validatesthe local OR risk mappingcampaignand decides on corrective actions aimed at reducing exposure to excessive risks; examines indicator breaches, decides on corrective actions to be - taken, and monitors progress on risk mitigation initiatives followingmajor incidentsand risks deemedexcessive(determined from the risk-mapping campaign) or decided after thresholds have been breached;is notifiedin the event of excessivedelays in implementingcorrective actions; examinespermanentcontrols carried out by the OperationalRisk - function and in particular any excessive delays in implementing corrective actions; Incidentand loss data collection Incident data are collected to build knowledge of the cost of risks, continuously improve management systems, and meet regulatory objectives. An incident log (incident database) was created to: broaden risk analysis and gain the knowledge needed to adjust ● action plansand assess their relevance;

helps organize the network of operationalrisk officers, monitors - awareness-raising and training initiatives, and monitors awareness-raising initiatives specifically targeting a given business line or function; examines, at least twice a year, any incidents liable to trigger - claims (reconciliationbetween the OR incident database and the local and group claim databases) to highlight the net residual loss after the application of Insurance coverage and notes any necessary changes in local Insurancepolicies; determines if any changes need to be made in local Insurance - policies. The frequency of meetings depends on the intensity of the institution’s risks, in accordance with three operational schemes reviewed once a year by the CRNFG and communicated to the entities. At Groupe BPCE level: ● The committeemeets quarterly and is chaired by a member of the Executive Management Committee. Its main duties are to define the OR standard, ensure that the OR system is deployed at the Group entities, and define the Group OR policy. To that end, the committee: examines major risks incurred by the Group and defines its - tolerance level, decides on the implementation of corrective actions affectingthe Group and monitors their progress; assesses the levelof resourcesto be allocated; - reviewsmajor incidentswithin its remit, validatesthe aggregated - map of operational risks at Group level, which is used for the macro-level risk mapping campaign; monitors major risk positions across all Group businesses, - including risks relating to non-compliance, financial audits, personal and property safety, contingency and business continuity planning, financial security and information system security (ISS); lastly, validates Group RAF indicators related to non-financial - risks as well astheir thresholds.

produce COREPregulatory half-year operational risk statements; ● produce reports for the executive and governing bodies and for ● non-management personnel; establish arecord that canbe used for operational risk modeling. ● Incidents are reported as they occur, as soon as they are detected, in accordance withGroup procedure.

208

Risk Report Pillar III 2018