BPCE - 2018 Risk report / Pillar III

4 RISK GOVERNANCE AND MANAGEMENT SYSTEM Governance of risk management

Risk and Compliance functions Groupe BPCE’s Risk, Compliance and Permanent Control division (DRCCP) oversees the Group’s risk management, compliance and permanentcontrol functions, focusing on the managementof credit, financial,operationaland non-compliancerisks, extendedto business continuity and Financial Audit functions, and information system security. It ensures that the risk policies of the affiliates and subsidiaries comply with those of Groupe BPCE. The Risk Management and Compliance departments of the Banque Populairebanks and Caisses d’Epargneare functionallysubordinateto Groupe BPCE’s Risk Managementdivision, as are those of subsidiaries including Natixis, Crédit Foncier, Banque Palatine and BPCE International.The Risk Managementand Compliancedepartmentsof ORGANIZATION The Group Risk, Complianceand PermanentControl division (DRCCP) coordinates and oversees all Groupe BPCE Risk and Compliance functions. The Risk, Complianceand PermanentControl Charter calls for the DRCCP to participate, at its own initiative, in the annual performance assessment of the heads of the permanent control functions, particularly risk and/or compliance, in consultation with the Chairman of the Management Board or the Chief Executive Officer. More specifically, to coordinate cross-business projects, the DRCCP relies on the Governance and Coordination department. This department also handles day-to-day coordination of the entire system, which is supported by the functional subordination of the institutions’ Risk Management and Compliance divisions to Groupe BPCE’s Risk, Compliance and Permanent Control division, and contributesto the overall monitoringof Group risk, mainlythrough: oversight and updates of key Risk and Compliance function ● documents suchas charters and standards; Executive Committee analyses of risks incurred by the Banque ● Populairebanks, the Caisses d’Epargne and the subsidiaries; coordinationof Risk Managementand Compliancefunction events ● through a series of national Risk Management and Compliance Days, including discussions and exchanges on risk- and compliance-relatedissues, presentationson the work done by the functions, training and sharing of best practices in the credit, financial, operational and compliance fields between all Group institutions. Risk Management and Compliance Days also provide opportunities to strengthen group-wide solidarity in the risk management and/or compliance professions in today’s ever-changing regulatory environment. In addition, audioconferencesand regional meetingsare attendedby the Heads of Risk Management and Compliance of the networks and subsidiaries to addresscurrent topics andevents; a document library dedicated to the risk, compliance and ● permanent control functions; operational efficiency initiatives (headcount benchmark standards, ● risk and compliance half-year reporting, risk appetite framework and institution macro-level risk mapping); Governance and coordination

subsidiaries not subject to the banking supervision regulatory framework arefunctionally subordinate to Groupe BPCE’sDRCCP. Group institutions are responsible for defining, monitoring and managing their risk levels, as well as producing reports and data for submissionto the centralinstitution’sDRCCP.They ensure the quality, reliability and completenessof the data used to control and monitor risks at the company level and on a consolidatedbasis, in line with Group risk standards andpolicies. In the course of their work, the Group’s institutionsrely on the Group Risk, Compliance and Permanent Control Charter. The charter specifies that each institution’s supervisory body and executive managers promote the risk managementculture at all levels of their organization. oversight of all recommendations issued by the supervisory ● authoritiesand by the Group’s InspectionGénérale divisioncovering Risks, Compliance and Permanent Control; support for new Heads of Risk Managementand/or Complianceof ● Groupe BPCE institutions via a special program; frequent on-site meetings with the Heads of Risk Management ● and/or Compliance and teams of the Banque Populaire banks and the Caisses d’Epargne; in addition to the operationalcommitteemeetingsattended by the ● Group DRCCP, general meetings held with each of the main BPCE subsidiaries (Natixis, Crédit Foncier, Banque Palatine and BPCE International) fora comprehensive review with the Head of DRCCP; distribution of a newsletter (“Mag R&C”) to the heads of Group ● institutions, the heads of the various functions (including Sales) and the employeesof the Risk, Complianceand PermanentControl functions, as well as all Group employees. Rounding out these communications, two additional letters are sent out more frequently: one summarizing regulatory changes and another summarizingthe work conductedby all Group Risk, Complianceand Permanent Control departments; an annual training program offered to all Risk and Compliance ● function employees, in conjunction with the Group Human Resources division. In addition, a university training course on “internal control and risk managementat financial institutions” is given at UniversitéParis-Dauphine.Participantsearn a degree upon successful completion of the course. Two workshops focused on compliance and permanent control have also been added; and in general, the practice of risk and compliance awareness and ● sharing of best practices throughoutthe Group, in particular via a digital documentlibrary (the “Kiosk”)for all employeesof the Group Risk, Complianceand Permanent Control functions. The Regulation division conducts a regulatory watch covering the scope of the DRCCP and assists in Group projects involving a regulatory component. It participates in industry-wide efforts in coordinationwith the Group’s other Regulatorydivisions.The division also dispenses training and organizes awareness-buildingcampaigns for Group employeeson regulatoryissues. It supports the institutions during on-site audits conducted by the supervisory authorities, particularly those addressing compliance issues.

66

Risk Report Pillar III 2018