BPCE - 2020 Universal Registration Document

6

RISK FACTORS & RISK MANAGEMENT

OPERATIONAL RISK OVERSIGHT Operational risk oversight within the Group is coordinated at two levels:

1. At the level of each Group institution

2. At Groupe BPCE level

The Operational Risk Committee is responsible for adapting the operational risk • management policy and ensuring the relevance and effectiveness of the operational risk management system. Accordingly, it: examines major and recurring incidents, and validates the associated corrective – actions; examines indicator breaches, decides on associated corrective actions, and tracks – progress on risk mitigation initiatives; examines permanent controls carried out by the Operational Risk function and in – particular any excessive delays in implementing corrective actions; helps organize and train the network of OR officers; – determines if any changes need to be made in local insurance policies. – The frequency of meetings depends on the intensity of the institution’s risks, in • accordance with three operational schemes reviewed once a year by the Group Non-Financial Risk Committee (CRNFG) and communicated to the entities. INCIDENT AND LOSS DATA COLLECTION Incident data are collected to build knowledge of the cost of risks, continuously improve management systems, and meet regulatory objectives. An incident log (incident database) was created to: broaden risk analysis and gain the knowledgeneeded to adjust • action plans and assess their relevance; produce COREP regulatory half-year operational risk • statements; produce reports for the executive and governing bodies and • for non-management personnel; establish a record that can be used for operational risk • modeling. Incidents are reported as they occur, as soon as they are detected, in accordance with Group procedure. A whistleblowing procedure has been set up for major incidents and internal limit breaches to round out the incident data collection system. OPERATIONAL RISK OVERSIGHT MAPPING The operational risk management system relies on a mapping process which is updated annually by all Group entities. Mapping enables the forward-looking identification and measurement of high-risk processes. For a given scope, it allows the Group to measure its exposure to risks for the year ahead. This exposure is then assessed and validated by the relevant committees in order to launch action plans aimed at reducing exposure. The mapping scope includes emerging risks, risks related to information and communication technologies and security, including cyber risks, risks related to service providers and risks of non-compliance.

The CRNFG meets quarterly and is chaired by a member of the Executive • Management Committee. Its main duties are to define the OR standard, ensure that the OR system is • deployed at the Group entities, and define the Group OR policy. Accordingly, it: examines major risks incurred by the Group and defines its tolerance level, – decides on the implementation of corrective actions affecting the Group and monitors their progress; assesses the level of resources to be allocated; – reviews major incidents within its remit, validates the aggregated map of – operational risks at Group level, which is used for the macro-level risk mapping campaign; monitors major risk positions across all Group businesses, including risks – relating to non-compliance, financial audits, personal and property safety, contingency and business continuity planning, financial security and information system security (ISS); lastly, validates Group RAF indicators related to non-financial risks as well as – their thresholds. This same mapping mechanism is used during the Group’s ICAAP to identify and measure its main operational risks. The operational risk map also serves as a basis for the macro-level risk mapping campaign covering the institutions, and thus for the Group overall. ACTION PLANS AND MONITORING OF CORRECTIVE ACTIONS Corrective actions are implemented to reduce the frequency, impact or spread of operational risks. They may be introduced following operational risk mapping, breaches of risk indicator thresholds or specific incidents. Progress on key actions is monitored by each entity’s Operational Risk Management Committee. At Group level, progress on action plans for the principal risk areas is also specifically monitored by the Non-Financial Risk Management Committee. INCIDENT ALERT PROCEDURE The alert procedure for serious incidents has been extended to the entire scope of Groupe BPCE. The aim of this system is to enhance and reinforce the system for collecting loss data across the Group. An operational risk incident is deemed to be serious when the potential financial impact at the time of detection is over €300,000, or over €1 million for Natixis. Operational risk incidents with a material impact on the image and reputation of the Group or its subsidiaries are also deemed to be serious. There is also a procedure in place covering material operational risks, within the meaning of Article 98 of the Ministerial Order of November 3, 2014, for which the minimum threshold is set at 0.5% of Common Equity Tier 1.

694

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE

www.groupebpce.com