BPCE - 2019 RISK REPORT Pillar III

OPERATIONAL RISKS

OPERATIONAL RISK OVERSIGHT Operational risk oversight within the Group is coordinated at two levels:

At the level of each Group institution

At Groupe BPCE level

The Operational Risk Committee is responsible for adapting the operational risk • management policy and ensuring the relevance and effectiveness of the operational risk management system. Accordingly, it: examines major and recurring incidents, and validates the associated corrective • actions; examines indicator breaches, decides on associated corrective actions, and • tracks progress on risk mitigation initiatives; examines permanent controls carried out by the Operational Risk function and • in particular any excessive delays in implementing corrective actions; helps organize and train the network of OR officers; • determines if any changes need to be made in local insurance policies. • The frequency of meetings depends on the intensity of the institution’s risks, in • accordance with three operational schemes reviewed once a year by the Group Non-Financial Risk Committee (CRNFG) and communicated to the entities.

The CRNFG meets quarterly and is chaired by a member of the Executive • Management Committee. Its main duties are to define the OR standard, ensure that the OR system is • deployed at the Group entities, and define the Group OR policy. Accordingly, it: examines major risks incurred by the Group and defines its tolerance level, • decides on the implementation of corrective actions affecting the Group and monitors their progress; assesses the level of resources to be allocated; • reviews major incidents within its remit, validates the aggregated map of • operational risks at Group level, which is used for the macro-level risk mapping campaign; monitors major risk positions across all Group businesses, including risks • relating to non-compliance, financial audits, personal and property safety, contingency and business continuity planning, financial security and information system security (ISS); lastly, validates Group RAF indicators related to non-financial risks as well as • their thresholds.

Incident and loss data collection

Incident data are collected to build knowledge of the cost of risks, continuously improve management systems, and meet regulatory objectives. An incident log (incident database) was created to: broaden risk analysis and gain the knowledge needed to adjust • action plans and assess their relevance; produce COREP regulatory half-year operational risk • statements;

produce reports for the executive and governing bodies and • for non-management personnel; establish a record that can be used for operational risk • modeling. Incidents are reported as they occur, as soon as they are detected, in accordance with Group procedure. A whistleblowing procedure has been set up for major incidents and internal limit breaches to round out the incident data collection system.

Operational risk oversight

MAPPING The operational risk management system relies on a mapping process which is updated annually by all Group entities. Mapping enables the forward-looking identification and measurement of high-risk processes. For a given scope, it allows the Group to measure its exposure to risks for the year ahead. This exposure is then assessed and validated by the relevant committees in order to launch action plans aimed at reducing exposure. The mapping scope includes emerging risks, IS risks (including cyber risk), and non-compliance risks. This same mapping mechanism is used during the Group’s ICAAP to identify and measure its main operational risks. The operational risk map also serves as a basis for the macro-level risk mapping campaign covering the institutions, and thus for the Group overall.

ACTION PLANS AND MONITORING OF CORRECTIVE ACTIONS

Corrective actions are implemented to reduce the frequency, impact or spread of operational risks. They may be introduced following operational risk mapping, breaches of risk indicator thresholds or specific incidents. Progress on key actions is monitored by each entity’s Operational Risk Management Committee. At Group level, progress on action plans for the principal risk areas is also specifically monitored by the Non-Financial Risk Management Committee.

12

215

RISK REPORT PILLAR III 2019 | GROUPE BPCE