BPCE - 2019 Universal Registration Document

RISK REPORT

RISK MANAGEMENT SYSTEM

Relations with the Permanent Control divisions of the central institution In the central institution, the Head of the Group Inspection Générale division maintains regular relations and shares information with the heads of the units in the scope of inspection, and more specifically with the divisions in charge of Level 2 controls. The heads of these divisions are responsible for notifying the Head of the Group Inspection Générale division in a timely manner of any disruption or major incident that comes to their attention. The Head of Groupe BPCE’s Inspection Générale division and the Heads of Group Risk Management and Group Compliance and Security notify each other in a timely manner of any inspection or disciplinary procedure initiated by the supervisory authorities and in general of any external audits brought to their attention. Activities in 2019 Over the course of the complete cycle of investigations conducted over an average four-year period, and relying on a risk assessment updated regularly for each institution, the Group Inspection Générale division carried out its audit schedule largely according to plan, making a few adjustments for ongoing restructuring operations at entities initially included in the schedule or for regulatory priorities. It also performed a quarterly follow-up on the implementation of recommendations issued by the division, the ACPR and the SSM. Pursuant to Article 26 of Ministerial Order A-2014-11-03 on internal control, the Group Inspection Générale division is able to use the whistleblowing system to alert the Risk Committee of delays in the implementation of recommendations. The Group Inspection Générale division carries out its duties within the framework of business line operations. Its methods of operation – for the purposes of consolidated supervision and optimal use of resources – are set out in a charter approved by BPCE on December 7, 2009, which was last updated in July 2018. The aim of this structure is to cover all of the Group’s operational or functional units over a reasonable number of fiscal years, according to the associated risk, and to achieve efficiency between the various complementary audits conducted by the Internal Audits teams of Group entities. The Internal Audit divisions of the direct affiliates and subsidiaries are functionally subordinate to the Group Inspection Générale division and report to the executive branch of their entity. These ties are strictly replicated at the level of each company in the Group, which is itself a parent company. This strong functional subordination is also based on operating rules and the Group Internal Audit Standards applicable by the entire function. It is reflected as follows: in the groupwide Audit Charter, which defines the end • purpose, powers, responsibilities and general structure of the internal audit function in the overall internal control system, and applies to all Group companies supervised on a consolidated basis. This charter is implemented via thematic standards (audit resources, audit of the sales network, audit assignments, follow-up of recommendations, etc.); AUDIT FUNCTION Structure of the audit function

the appointment and dismissal of the Heads of Internal Audit of • affiliates or direct subsidiaries are subject to the prior approval of the Head of the BPCE Group Inspection Générale division; the annual evaluations of Heads of Internal Audit are • transmitted to the Head of the BPCE Group Inspection Générale division; the Group Inspection Générale division ensures that each • entity’s Internal Audit division holds the necessary resources to perform its duties and adequately cover the multi-year audit plan; the multi-year and annual audit programs carried out by the • Internal Audit divisions of the Group institutions are approved in conjunction with the Group Inspection Générale division; the Group Inspection Générale division is kept regularly informed of their completion or of any change in scope; the Group Inspection Générale division issues a formal letter • of opinion and, where applicable, any reservations on the multi-year audit plan, the quality of work performed and the audit reports submitted to the Group Inspection Générale division, and the resources allocated both in terms of number of employees and expertise; the Internal Audit division applies the standards and methods • defined and distributed by the BPCE Group Inspection Générale division, and refers to the audit guides which are, as a matter of principle, common to all internal audit function auditors; in the course of conducting on-site audits, the Group • Inspection Générale division periodically verifies that Group companies comply with the Group Internal Audit standards. The following items are transmitted to the Group Inspection Générale division: the Internal Audit reports of the Group institutions, as they are • produced; the annual reports of the entities, prepared in accordance with • Articles 258 to 264 of Ministerial Order A-2014-11-03 on internal control, are submitted to the Group Inspection Générale division which forwards them to the supervisory authorities; the presentations made by the Heads of Internal Audit to the • Risk Management Committees, and the minutes of these meetings; the presentations made to the supervisory body on internal • control activities and findings, and extracts of the minutes of the meetings where they were examined. The rules governing oversight of the Inspection business line between Natixis and the central institution fall within the framework of the Group audit function. Activities in 2019 Efforts were continued to update a body of harmonized guides covering the most commonly audited areas. In 2019, the focus on methodologies led to updated versions of guides on personal data protection, governance, private banking and discretionary portfolio management. New audit guides were prepared on audits of the sales network, outsourcing and compliance of investment services, including the expectations arising from MiFID 2 and the IDD. Supplemented by appendices and a document library, these audit guides are primarily available via the Group audit function’s SharePoint and/or the server shared with the Group Inspection Générale division. The priority audit reviews defined for all auditable units in the multi-year audit plans of the Internal Audit divisions of each Group retail institution were updated and streamlined. Furthermore, the control program rolled out at the Banques Populaires on compliance with the service level agreement for the CASDEN Banque Populaire customer base was updated.

6

583

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE