BPCE - 2019 Universal Registration Document

RISK REPORT

NON-COMPLIANCE AND SECURITY RISKS

Supervision of operations Internal reports on the prevention of money laundering and terrorist financing are submitted to company directors and governing bodies, as well as to the central institution.

HIGHLIGHTS The Group Financial Security department hired additional staff in 2019 for the purpose of actively overseeing the function as whole. The permanent control system was reviewed and enhanced.

Business continuity 6.11.3

The management of business interruption risk is handled from a cross-business perspective. This includes the analysis of the Group’s main critical business lines, notably liquidity, payment instruments, securities, individual and corporate loans, and fiduciary activities.

ORGANIZATION The Group Business Continuity department, which is part of the Compliance and Security division, performs its tasks independently of operational divisions. These include: managing Group business continuity and coordinating the • Group Business Continuity function; coordinating Group crisis management; • managing the implementation of the Group Contingency and • Business Continuity Plans (CBCPs) and keeping them operational; ensuring compliance with regulatory provisions governing • business continuity; participating in Groupe BPCE’s internal and external bodies. • HIGHLIGHTS Efforts were once again focused on strengthening crisis management, with the ongoing development of the crisis management software tool (CrisisCare), redeployment of the crisis management system (I2G) for greater effectiveness, and ORGANIZATION The Group Compliance and Security division (DS-G) establishes and adapts Group Information System Security policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatory oversight. It initiates and coordinates Group projects aimed at reducing risks in its field. It also represents Groupe BPCE vis-à-vis banking industry groups and public authorities. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group Information System Security (RSSI-G), who coordinates the function, and the Heads of IT System Security for all Group entities. Information System Security (ISS) 6.11.4

identification of crisis management training modules to be offered in 2020. This organizational structure proved its merit during the “Robustness” marketplace exercise and the handling of incidents arising over the course of the year. A mapping tool (ArcGIS) was added to the Group’s incident management and decision-making resources. Business continuity more broadly incorporates a risk approach, reflected in the policy distributed this year and integrated in the control database, which was adjusted accordingly. The operational aspects of the business continuity system were also addressed. A Group BCP management tool (Drive) was tested with one institution and will be rolled out groupwide in 2020. Oversight of third-party business continuity is a priority for the Group, in light of the stronger regulatory outsourcing requirements. A policy, formalized early in the year, was extended by the initiatives undertaken to establish a single Group third-party provider listing and contract management database.

6

The heads of Information System Security for parent company affiliates, direct subsidiaries and EIGs are functionally subordinate to the RSSI-G through coordinated actions. This means that: the RSSI-G is notified of the appointment of any heads of • information system security; the Group information system security policy is adopted by • individual entities in accordance with application procedures subject to validation by the Head of Group ISS; a report on the institutions’ compliance with the Group’s • information system security policy, permanent controls, risk level, primary incidents and actions is submitted to the Group Head of IT System Security.

649

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE