BPCE - 2019 RISK REPORT Pillar III

3

RISK MANAGEMENT SYSTEM

RISK MANAGEMENT

Risk management 3.3

Governance of risk management

Two Group-level bodies are responsible for governance of risk management: the Supervisory Board, which relies on the Board’s Risk Committee, and the Management Board. Chaired by the Chairman of the Management Board, the Group Risk and Compliance Committee (an Umbrella Committee) sets the broad risk policy, decides on the global caps and limits for Groupe BPCE and for each institution, validates the authorization limits of other committees, examines the principal risk areas for Groupe BPCE and for each institution, reviews consolidated risk reports and approves risk action plans for the measurement, supervision and management of risks, as well as Groupe BPCE’s principal risk standards and procedures. It monitors limits (Ministerial Order of November 3, 2014 on internal control, Article 226), particularly when overall limits are likely to be reached (Ministerial Order of November 3, 2014 on internal control, Article 229).

The committee also examines matters relating to non-financial risks, specifically including risks associated with the compliance of banking and insurance activities, investment services and financial security. Overall risk limits are regularly reviewed and presented to the Group Risk and Compliance Committee (Ministerial Order of November 3, 2014 on internal control, Article 224) as part of the risk appetite framework (RAF). This committee provides the Supervisory Board Risk Committee with proposed criteria and thresholds for the identification of incidents to be brought to the attention of the supervisory body (Ministerial Order of November 3, 2014 on internal control, Articles 98 and 244). The Group Risk Committee is notified twice a year of the conditions under which the established limits were observed (Ministerial Order of November 3, 2014 on internal control, Article 252).

Organization of risk management

Groupe BPCE’s Risk division and Corporate Secretary’s Office measure, monitor and manage risks, including non-compliance risks, pursuant to the Ministerial Order of November 3, 2014 on internal control.

They ensure that the risk management system is effective, complete and consistent, and that risk-taking is consistent with the guidelines for the business (particularly targets and resources of the Group and its institutions).

Group policy and standards

Supervision and control

Coordination

present the Management Board and Supervisory • Board with a risk appetite framework for the Group and ensure its implementation and roll-out at each major entity; help draw up risk policies on a consolidated basis, • inform overall risk limits, contribute to discussions on capital allocation and ensure that portfolios are managed in accordance with these limits and allocations; define and implement standards and methods for • consolidated risk measurement, risk-taking approval, risk control and reporting, and compliance with risk regulations; oversee the risk information system, working closely • with the IT departments, while defining the standards to be applied for the measurement, control, reporting and management of risks.

carry out the annual macro-level risk mapping • exercise, factoring in the overall risk policy, risk appetite and annual permanent control plan, which is part of the internal control system; assess and control the level of risk across the Group; • conduct permanent supervision of limit breachess • and their resolution, centralize risk data and prepare forward-looking risk reports on a consolidated basis; help the Groupe BPCE Management Board to • identify emerging risks, concentration of risk and other various developments, and to devise strategy and adjust risk appetite; perform stress tests with the goal of identifying • areas of risk and the Group’s resilience under various predetermined shock scenarios; conduct controls to ensure that the operations and • internal procedures of Group companies comply with legal, professional, or internal standards applicable to banking, financial and insurance activities; perform Level 2 controls of certain processes used to • prepare financial information, and implemens a Group Level 2 permanent risk control system.

are functionally subordinate to the Risk and • Compliance functions, participating in the work of local Risk Committees or receiving the results of their work, coordinating the departments and approving the appointment or dismissal of all new Heads of Risk Management, Heads of Compliance, or Heads of Risk and Compliance, by meeting with the relevant managers and/or teams during national or local meetings and during checks on-site or at BPCE; help disseminate risk and compliance awareness • and promote the sharing of best practices throughout the Group.

28

RISK REPORT PILLAR III 2019 | GROUPE BPCE

www.groupebpce.com