BPCE - 2019 RISK REPORT Pillar III

3

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

ACTIVITIES IN 2019 Efforts were continued to update a body of harmonized guides covering the most commonly audited areas. In 2019, the focus on methodologies led to updated versions of guides on personal data protection, governance, private banking and discretionary portfolio management. New audit guides were prepared on audits of the sales network, outsourcing and compliance of investment services, including the expectations arising from MiFID 2 and the IDD. Supplemented by appendices and a document library, these audit guides are primarily available via the Group audit function’s SharePoint and/or the server shared with the Group Inspection Générale division. The priority audit reviews defined for all auditable units in the multi-year audit plans of the Internal Audit divisions of each Group retail institution were updated and streamlined. Furthermore, the control program rolled out at the Banques Populaires on compliance with the service level agreement for the CASDEN Banque Populaire customer base was updated. The Group Inspection Générale division and the Natixis Internal Audit department continued working closely to assess the follow-up of recommendations and to synchronize their respective annual macro-audit schedules for a shared scope of auditable units. They relied in particular on a shared risk assessment, joint preparation of audit plans, and a shared definition of fields of investigation/audit standards. In 2019, joint methodology projects were conducted to update shared audit guides covering market risk and private banking. The Group Inspection Générale division also expanded its resources and contributions in the data analysis field, beginning with the gradual deployment of data visualization tool SPOTFIRE to the Group’s inspection and audit teams. The Group Inspection Générale division assisted with this deployment by organizing internal training courses for its inspectors during their break periods and external training courses for the function’s audit teams. The Data team was expanded with the addition of two Data Scientists and seconded IT Inspectors. It also worked to create and coordinate a Data community with the audit function. Data officers were appointed at each institution and a Data club was created, meeting monthly for educational and support purposes with the goal of sharing knowledge, analyses and best practices.

the Group Inspection Générale division ensures that each • entity’s Internal Audit division holds the necessary resources to perform its duties and adequately cover the multi-year audit plan; the multi-year and annual audit programs carried out by the • Internal Audit divisions of the Group institutions are approved in conjunction with the Group Inspection Générale division; the Group Inspection Générale division is kept regularly informed of their completion or of any change in scope; the Group Inspection Générale division issues a formal letter • of opinion and, where applicable, any reservations on the multi-year audit plan, the quality of work performed and the audit reports submitted to the Group Inspection Générale division, and the resources allocated both in terms of number of employees and expertise; the Internal Audit division applies the standards and methods • defined and distributed by the BPCE Group Inspection Générale division, and refers to the audit guides which are, as a matter of principle, common to all internal audit function auditors; in the course of conducting on-site audits, the Group • Inspection Générale division periodically verifies that Group companies comply with the Group Internal Audit standards. The following items are transmitted to the Group Inspection Générale division: the Internal Audit reports of the Group institutions, as they are • produced; the annual reports of the entities, prepared in accordance with • Articles 258 to 264 of Ministerial Order A-2014-11-03 on internal control, are submitted to the Group Inspection Générale division which forwards them to the supervisory authorities; the presentations made by the Heads of Internal Audit to the • Risk Management Committees, and the minutes of these meetings; the presentations made to the supervisory body on internal • control activities and findings, and extracts of the minutes of the meetings where they were examined. The rules governing oversight of the Inspection business line between Natixis and the central institution fall within the framework of the Group audit function. The Risk division and the Corporate Secretary’s Office are responsible for permanent controls at Group level, and the Group Inspection Générale division for periodic control. The permanent and periodic control functions of affiliates and subsidiaries, subject to banking supervision, are functionally subordinate, as Consolidated Control departments, to BPCE’s corresponding Central Control divisions and report to their entity’s executive body. These ties have been formally defined in charters for each function, covering: a standardized opinion on the appointments and dismissals of • Heads of permanent/periodic control functions at direct affiliates and subsidiaries; Structure of integrated control functions

reporting, information and whistleblowing obligations; • drafting of standard practices by the central institution set out • in Group standards, definition or approval of control plans. The entire system was approved by the Management Board on December 7, 2009, and presented to the Audit Committee on December 16, 2009 and to the BPCE Supervision Board. The Risk Charter was reviewed in 2017 and the body of standards consists of three Group charters covering all activities: the Group Internal Control Charter: an Umbrella Charter • drawing on the following two individual charters: the Internal Audit Charter, and – the Risk, Compliance and Permanent Control Charter. –

38

RISK REPORT PILLAR III 2019 | GROUPE BPCE

www.groupebpce.com