BPCE - 2019 Universal Registration Document

6

RISK REPORT

RISK MANAGEMENT SYSTEM

In the Corporate Secretary’s Office, the main role of the Permanent Control Coordination department is to coordinate the Group’s Level 1 and 2 permanent control system. To that end, it: manages a Group-level permanent control tool (Priscop) in • close collaboration with the Group’s institutions and oversees Level 1 control standards with the business lines; uses Priscop to implement, centralize and capitalize on the • permanent controls carried out by the Risk, Compliance and Permanent Control departments of all Group institutions. The various permanent control standards are overseen and constantly updated and expanded in the tool. monitors the application of control standards, i.e. the • framework document governing the Group’s permanent control system – operational adaptation of the Internal Control Charter –, and the control sampling standard, which is based on random, representative samples. To that end, all annual control plans of retail banking institutions are centralized and analyzed each year. Other central functions also contribute to the permanent control system, such as the Legal Affairs division and the Group Human Resources division for certain issues affecting the pay policy. HIGHLIGHTS In 2019, the Permanent Control Coordination department continued working on the transformation of the Group software tool initiated in 2018, including: switching from permanent control tool Priscop to a version • offering greater security and more features; making the Level 2 control reliability improvement module • available for Level 1 controls as well; setting up links between Group risks and the controls • performed in Priscop; rolling out the Risk Management and Action Plan modules. • PERIODIC CONTROL (LEVEL 3) STRUCTURE AND ROLE OF THE GROUP INSPECTION GÉNÉRALE DIVISION Duties In accordance with the duties incumbent on the central institution, and pursuant to the rules of collective solidarity, the Group Inspection Générale division is responsible for periodically verifying the operation of all Group institutions and providing their executive managers with reasonable assurance of their financial strength. In that role, it ensures the quality, effectiveness, consistency and efficiency of their permanent control system as well as their risk management. The division’s scope of authority covers all risks, all institutions and all activities, including those that are outsourced. Its top priorities are to assess and to report to the executive and decision-making bodies of the entities and the Group as a whole on: the quality of its financial position; • the level of risks actually incurred; • the quality of its organizational structure and management; •

the consistency, adequacy and operation of risk assessment • and management systems; the reliability and integrity of accounting and management • information; compliance with the laws, regulations and rules applicable to • Groupe BPCE or each company; the effective implementation of recommendations from • previous audits and issued by the regulatory authorities. Reporting to the Chairman of the Management Board, the Group Inspection Générale division performs its duties independently of the Operational and Permanent Control divisions. Representation on Group governance bodies and Risk Management Committees In the interest of exercising its duties and contributing effectively to the promotion of an auditing culture, the Head of the Group Inspection Générale division takes part, without voting rights, in the central institution’s key Risk Management Committees. As indicated above, the Head of the Group Inspection Générale division is a member of the Group Internal Control Coordination Committee and has a standing invitation to participate in the Risk Committee and Audit Committee of BPCE, Natixis and the main Groupe BPCE subsidiaries (BPCE International, Crédit Foncier, Banque Palatine). Scope of authority To fulfill its duties, the Group Inspection Générale division establishes and maintains an inventory of the Group’s auditing scope, which is defined in coordination with the Internal Audit departments of the Group institutions. It makes sure that all institutions, activities and corresponding risks are covered by comprehensive audits, performed at frequencies defined according to the overall risk level of each institution or activity, and at least every four years on average for banking activities. In so doing, it takes into account not only its own audits, but also those conducted by the supervisory authorities and the Internal Audit divisions. The annual audit plan is defined with the Chairman of the BPCE Management Board, and presented to the Group Internal Control Coordination Committee and the Group Risk Management Committee. It is also transmitted to the national and European supervisors. Reporting Group Inspection Générale division audits contain recommendations prioritized by order of importance, which are regularly monitored (at least once every six months). The division reports the findings of its work to the executive managers of the audited companies and to their supervisory body. It also reports to the Chairman of the Management Board, the Risk Committee and the Supervisory Board of BPCE. It provides them with a report on the implementation of its major recommendations, as well as those of the ACPR and the Single Supervisory Mechanism (SSM). It sees to the expedient execution of any corrective measures to the internal control system, in accordance with Article 26 of the Ministerial Order of November 3, 2014 on internal control, and may call on the Supervisory Board Risk Committee to address any measures that have not been executed.

582

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE

www.groupebpce.com