BPCE - 2019 Universal Registration Document

RISK REPORT

OPERATIONAL RISKS

Operational risks 6.12

ORGANIZATION The Group Operational Risk department (DROG) – part of the Group Risk division – is in charge of identifying, measuring, monitoring and managing the operational risks incurred in all activities and functions undertaken by Group institutions and subsidiaries. The operational risk system consists of: central organization and a network of operational risk • managers and officers, working in all activities, entities and subsidiaries of Group institutions and subsidiaries; a methodology based on a set of standards and an OR tool • used throughout the Group. The Operational Risk function operates: in all structures consolidated or controlled by the institution or • the subsidiary (banking, financial, insurance, etc.); in all activities exposed to operational risks, including • outsourced activities, within the meaning of Article 10 q and Article 10 r of the Ministerial Order of November 3, 2014 “outsourced activities and services or other critical or essential operational tasks”. The Group Non-Financial Risk Committee (CRNFG) defines the risk policy rolled out to the institutions and subsidiaries, and the DROG ensures that the policy is applied throughout the Group. METHODOLOGY The operational risk management system is part of the Risk Assessment Statement (RAS) and Risk Assessment Framework (RAF) systems defined by the Group. These systems and indicators are adapted at the level of each Group institution and subsidiary. The mapping methodology is part of the Group’s permanent control system and includes the operational risk, compliance, information system security, personal and property safety and Permanent Control Functions. Measurement of risk exposure is based on a forward-looking model, which quantifies and classes risk scenarios and thus provides the Non-Financial Risk Committees with the necessary elements to define their risk tolerance.

Risk-predictive indicators are produced from the main risks identified in the non-financial risk map. Risk supervision and monitoring were improved through the drafting of reports aimed at providing a uniform measurement to the Group as a whole of its risk exposure and cost of risk. The OR function’s production staff perform two types of Level 2 controls on operational risks: comprehensive automated controls; • sample-based manual controls. • BPCE’s Operational Risk function ensures that the structure and systems in place at the institutions and subsidiaries allow them to achieve their objectives and fulfill their duties. To that end, it: coordinates the function and performs risk supervision • and controls at the institutions/subsidiaries and their subsidiaries; centralizes and analyzes the Group’s exposure to • non-financial risks, verifies the implementation of corrective actions decided by the Operational Risk Committee, and reports any excessive implementation times to senior management; performs controls to ensure that Group standards and • methods are observed by the institutions and subsidiaries; performs a regulatory watch, distributes and relays • operational risk alerts due to incidents with the potential to spread to the appropriate institutions/subsidiaries; prepares reports, by institution or subsidiary, for the • Group and the regulatory authorities (COREP OR), analyzes the reports and content of the OR committees of the institutions and subsidiaries, and notifies the Group Non-Financial Risk Committee of any inadequate systems and/or excessive risk exposure, which in turn notifies the institution in question.

6

651

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE