BPCE - 2020 Universal Registration Document

6

RISK FACTORS & RISK MANAGEMENT

RISK MANAGEMENT SYSTEM

the rules governing oversight of the Inspection business line • between Natixis and the central institution fall within the framework of the Group audit function. Work performed in 2020 Following the restructuring of the Group Inspection Générale division, carried out in 2020 as part of the OPAL project, the scope of intervention of the Coordination, Methods and Data department has been broadened. This expansion went together with a gradual strengthening of the teams in charge and a redeployment of the MOA support functions. In addition to its traditional duties as point of contact for methodology issues and maintenance of the normative and regulatory corpus, the Methods unit is now gradually participating in the work of closing the recommendations in support of the Principal Inspectors in order to optimize their tasks. After hiring a third employee, it has also worked to develop and strengthen close cooperationwith the Data teams, notably through dedicated methodological projects. In addition, it has revamped the “customer protection” matrix to include key questions from audit guides covering the area. It prepared and coordinated the MAG 2020 (Group Audit Assignment) on the security of the private information system and GDPR. Moreover, it has drafted several methodological notes for IGG and Group Audit inspectors on the support system for vulnerable customers (relating to inclusion and bank fees) and on the use of the PRISCOP tool (the Group’s permanent controls centralization tool). It also helped to create a white paper defining a new audit methodology for the Group’s retail activities. In order to better meet the data usage requirements with respect to assignments carried out by the Inspection Générale division, the Data team has seen its workforce practically double and now has six employees, three inspectors on secondment, a work-study employee and an intern. This strengthening of resources, which aims to achieve a balanced mix of skills (between data scientist and data analyst profiles), broadens the area of investigation covered and improves the quality of analyses, with greater support throughout the audit process. It also aims to upskill the workforce regarding data science techniques (OCR, web scraping, sampling). With this in mind, it has joined and participates in Groupe BPCE’s Data Science community, notably through webinars. In addition, in its role of supporting the Group’s audit function, the Data team has initiated a Data support process separate from the institutions’ Internal Audits, based on the identification of their levels and needs. Lastly, it revamped and launched the Group’s Retail risk assessment tool previously used by the IGG. The purpose of this work is to improve the process of supplying and reporting analysis results (by switching to a quarterly frequency). The system is now based on a combination of more than 130 risk indicators, with a view to a comparative assessment of the Group’s Retail institutions according to nine areas of macro-risk. It is intended to become a pre-diagnostic tool for an early-stage IGG audit assignment, as well as a component of the development (and adaptation) of the IGG’s multi-year audit plan (PPA) and of analyses of this plan specific to the Group’s institutions.

In addition, following the reorganizationof the support functions, part of the project management unit joined the Coordination, Methods and Data department with a view to streamlining and optimizing tasks and creating synergies with the other functions of the department. In addition to its responsibilities of supporting Groupe BPCE’s dedicated recommendations management tool (SAIG-RECO), the new team in place (comprising two employees) pressed on with its duties of assisting in the management and monitoring of the two major projects undertaken the previous year. As such, the Data team, as part of its activity of supporting audit assignments and the parallel developmentof R&D projects, is working to increase the capacity for data storing and processing in a more independent manner. The second project concerns the deployment of an Audit Management Solution (AMS) to increase efficiency (preparation of the multi-year audit plan, audit assignment, etc.) and to replace the current SAIG-RECO tool. Lastly, it worked on implementing a solution to remotely access the Group Retail Information Systems (BP and CEP) for IGG employees. The Risk division and the Corporate Secretary’s Office are responsible for permanent controls at Group level, and the Group Inspection Générale division for periodic control. The permanent and periodic control functions of affiliates and subsidiaries, subject to banking supervision, are functionally subordinate, as Consolidated Control departments, to BPCE’s corresponding Central Control divisions and report to their entity’s executive body. These ties have been formally defined in charters for each function, covering: a standardized opinion on the appointments and dismissals of • Heads of permanent/periodic control functions at direct affiliates and subsidiaries; reporting, information and whistleblowing obligations; • drafting of standard practices by the central institution set out • in Group standards, definition or approval of control plans. The entire system was approved by the Management Board on December 7, 2009, and presented to the Audit Committee on December 16, 2009 and to the BPCE Supervision Board. The Risk Charter was reviewed in 2017 and the body of standards consists of three Group charters covering all activities: the Group Internal Control Charter: • an umbrella charter drawing on the following two individual – charters: the Internal Audit Charter, and – the Risk, Compliance and Permanent Control Charter. – STRUCTURE OF INTEGRATED CONTROL FUNCTIONS

618

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE

www.groupebpce.com