BPCE - 2019 Universal Registration Document

6

RISK REPORT

RISK MANAGEMENT SYSTEM

the Group Internal Control Charter: an Umbrella Charter • drawing on the following two individual charters: the Internal Audit Charter, and – the Risk, Compliance and Permanent Control Charter. – INTERNAL CONTROL COORDINATION COMMITTEE The Chairman of the BPCE Management Board is responsible for ensuring the consistency and effectiveness of the internal control system. A Group Internal Control Coordination Committee, chaired by the Chairman of the Management Board, meets periodically. This committee is responsible for dealing with all issues relating to the consistency and effectiveness of the Group internal control system, as well as the results of risk management and internal control work and follow-up work. The committee’s main responsibilities include: validating the Group Internal Control Charter, the Group Risk, • Compliance and Permanent Control Charter and the Group Internal Audit Charter; reviewing dashboards and reports on Group control results, • and presenting permanent control coordination initiatives and results; validating action plans to be implemented in order to achieve a • consistent and efficient Group permanent control system, and assessing progress made on corrective measures adopted subsequent to recommendations issued by the Group Inspection Générale division, the national or European supervisory authorities, and the Permanent Control Functions; reviewing the Group’s internal control system, identifying any • shortcomings, and suggesting appropriate solutions to further secure the institutions and the Group; reviewing the allocation of resources with respect to risks • incurred; presenting the results of institution controls or benchmarks; • deciding on any cross-business initiatives or measures aimed • at strengthening the Group’s internal control system; ensuring consistency between measures taken to strengthen • permanent control and risk areas identified during the consolidated macro-level risk mapping exercise. The members of the Executive Management Committee in charge of Risk Management (Risk division) and Compliance and Permanent Controls (Corporate Secretary’s Office), and the Head of the Group Inspection Générale division, are members of this committee. Where applicable, the Internal Control Coordination Committee may hear reports from operational managers about measures they have taken to apply recommendations made by internal and external control bodies.

The Group Inspection Générale division and the Natixis Internal Audit department continued working closely to assess the follow-up of recommendations and to synchronize their respective annual macro-audit schedules for a shared scope of auditable units. They relied in particular on a shared risk assessment, joint preparation of audit plans, and a shared definition of fields of investigation/audit standards. In 2019, joint methodology projects were conducted to update shared audit guides covering market risk and private banking. The Group Inspection Générale division also expanded its resources and contributions in the data analysis field, beginning with the gradual deployment of data visualization tool SPOTFIRE to the Group’s inspection and audit teams. The Group Inspection Générale division assisted with this deployment by organizing internal training courses for its inspectors during their break periods and external training courses for the function’s audit teams. The Data team was expanded with the addition of two Data Scientists and seconded IT Inspectors. It also worked to create and coordinate a Data community with the audit function. Data officers were appointed at each institution and a Data club was created, meeting monthly for educational and support purposes with the goal of sharing knowledge, analyses and best practices. The Risk division and the Corporate Secretary’s Office are responsible for permanent controls at Group level, and the Group Inspection Générale division for periodic control. The permanent and periodic control functions of affiliates and subsidiaries, subject to banking supervision, are functionally subordinate, as Consolidated Control departments, to BPCE’s corresponding Central Control divisions and report to their entity’s executive body. These ties have been formally defined in charters for each function, covering: a standardized opinion on the appointments and dismissals of • Heads of permanent/periodic control functions at direct affiliates and subsidiaries; reporting, information and whistleblowing obligations; • drafting of standard practices by the central institution set out • in Group standards, definition or approval of control plans. The entire system was approved by the Management Board on December 7, 2009, and presented to the Audit Committee on December 16, 2009 and to the BPCE Supervision Board. The Risk Charter was reviewed in 2017 and the body of standards consists of three Group charters covering all activities: STRUCTURE OF INTEGRATED CONTROL FUNCTIONS

584

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE

www.groupebpce.com