BPCE - 2018 Risk report / Pillar III

NON-COMPLIANCE, SECURITY AND OPERATIONAL RISKS Operational risks

Operational risk oversight

MAPPING The operationalrisk managementsystem relies on a mapping process which isupdated annually by all Group entities. Mapping enables the forward-looking identification and measurement(using expert opinion and combined with quantitative analysis which includes scenarios taken from external events) of high-riskprocesses.For a given scope, it allows the Group to measure its exposureto risks for the year ahead. This exposureis then assessed and validated by the relevant committees in order to launch action plans aimed at reducing exposure. The mapping scope includes emerging risks, IS risks (including cyber risk), and non-compliance risks. This same mapping mechanism is used during the Group’s ICAAP to identify and measure its main operational risks. The operational risk Incidentalert procedure The alert procedure for serious incidents has been extended to the entire scope of Groupe BPCE. The aim of this system is to enhance and reinforce the system for collecting loss data across the Group. An operational risk incident is deemed to be serious when the potential financial impact at the time of detection is over € 300,000, or over € 1 million for Natixis. Operational risk incidents with a

map also serves as a basis for the macro-levelrisk mappingcampaign covering the institutions, and thus for the Group overall.

ACTION PLANS AND MONITORING OF CORRECTIVE ACTIONS

Corrective actions are implementedto reduce the frequency, impact or spread of operational risks. They may be introduced following operational risk mapping, breaches of risk indicator thresholds or specific incidents. Progresson key actions is monitoredby each entity’s OperationalRisk Management Committee. At Group level, progress on action plans for the principal risk areas is also specifically monitored by the Non-Financial Risk Management Committee.

material impact on the image and reputation of the Group or its subsidiaries are also deemed to be serious. There is also a procedurein place coveringmaterial operationalrisks, within the meaning of Article 98 of the Ministerial Order of November 3, 2014, for which the minimumthresholdis set at 0.5%of Common EquityTier 1.

11

209

Risk Report Pillar III 2018