BPCE - 2019 RISK REPORT Pillar III

3

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

Permanent control system

LEVEL 1: PERMANENT CONTROL BY LINE MANAGEMENT

Management

and

Compliance

functions,

and

the

implementation of standards, norms and charters.

In the Corporate Secretary’s Office, the main role of the Permanent Control Coordination department is to coordinate the Group’s Level 1 and 2 permanent control system. To that end, it: manages a Group-level permanent control tool (Priscop) in • close collaboration with the Group’s institutions and oversees Level 1 control standards with the business lines; uses Priscop to implement, centralize and capitalize on the • permanent controls carried out by the Risk, Compliance and Permanent Control departments of all Group institutions. The various permanent control standards are overseen and constantly updated and expanded in the tool. monitors the application of control standards, i.e. the • framework document governing the Group’s permanent control system – operational adaptation of the Internal Control Charter –, and the control sampling standard, which is based on random, representative samples. To that end, all annual control plans of retail banking institutions are centralized and analyzed each year. Other central functions also contribute to the permanent control system, such as the Legal Affairs division and the Group Human Resources division for certain issues affecting the pay policy. HIGHLIGHTS In 2019, the Permanent Control Coordination department continued working on the transformation of the Group software tool initiated in 2018, including: switching from permanent control tool Priscop to a version • offering greater security and more features; making the Level 2 control reliability improvement module • available for Level 1 controls as well; setting up links between Group risks and the controls • performed in Priscop; rolling out the Risk Management and Action Plan modules. •

Level 1 permanent control is the first link in internal control and is primarily performed by operational or support departments under the supervision of their line management. These departments are responsible for: implementing formalized, documented and reportable • self-checks; documenting and verifying compliance with transaction • processing procedures, detailing the responsibility of those involved and the types of checks carried out; verifying the compliance of transactions; • implementing recommendations drawn up by Level 2 control • functions on the Level 1 control system; reporting to and alerting Level 2 control functions. • Depending on the situation and activity(ies) in question, Level 1 controls are performed, jointly if applicable, by a special-purpose Middle Office-type control unit or accounting control entity, by the operational staff themselves, or by line managers. Level 1 controls are formally reported to the relevant Permanent Control divisions or functions. LEVEL 2: PERMANENT CONTROL BY DEDICATED ENTITIES Level 2 permanent controls, within the meaning of Article 13 of Ministerial Order A-2014-11-03 on internal control, are performed by entities dedicated to this duty as part of the Group’s Risk division and Corporate Secretary’s Office in charge of Compliance and Permanent Control for Groupe BPCE. Both divisions perform Level 2 supervision of certain processes used to prepare financial information and implement a Group Level 2 permanent risk control system covering matters of governance, risk, organization, the work of the Risk

Periodic Control (Level 3)

STRUCTURE AND ROLE OF THE GROUP INSPECTION GÉNÉRALE DIVISION DUTIES

Its top priorities are to assess and to report to the executive and decision-making bodies of the entities and the Group as a whole on:

the quality of its financial position; • the level of risks actually incurred; •

In accordance with the duties incumbent on the central institution, and pursuant to the rules of collective solidarity, the Group Inspection Générale division is responsible for periodically verifying the operation of all Group institutions and providing their executive managers with reasonable assurance of their financial strength. In that role, it ensures the quality, effectiveness, consistency and efficiency of their permanent control system as well as their risk management. The division’s scope of authority covers all risks, all institutions and all activities, including those that are outsourced.

the quality of its organizational structure and management; • the consistency, adequacy and operation of risk assessment • and management systems; the reliability and integrity of accounting and management • information; compliance with the laws, regulations and rules applicable to • Groupe BPCE or each company; the effective implementation of recommendations from • previous audits and issued by the regulatory authorities.

36

RISK REPORT PILLAR III 2019 | GROUPE BPCE

www.groupebpce.com