BPCE_PILLAR_III_2017

NON-COMPLIANCE RISKS, SECURITY AND OPERATIONAL RISKS Operational risks

Operational risks 11.7

ORGANIZATION The Groupe BPCE Risk, Compliance and Permanent Control division (DRCCP) contributes to the operational risk management policy. To this end, it: defines and updates operational risk standards applicable to all ● Group institutions; carries out and updates risk mapping based on uniform evaluation ● standards across the entire Group; rolls out and verifies the implementation of the operational risk ● monitoringand managementsystem; manages the data collectiontool for incidents,indicators,risks and ● corrective action and teaches the institutions how to use the tool; ensures the escalation of significant incidents (particularly ● Article 98 of the MinisterialOrder of November 3, 2014 on internal control) to the Group’s management bodies; co-builds, with the business lines and support functions, and ● monitors remedial actions relating to major incidents as well as risks deemed excessive; contributesto permanentrisk supervisionby preparingconsolidated ● summary reportsfor submission to various bodies. ACTIVITIES IN 2017 The fiscal year saw the deploymentof a new tool called osirisk at all Group institutions,along with new and revised standards,procedures and working methods defining rules and a forward-looking operational risk management methodology. This tool offers data consolidationand forward-looking management of exposureto risks. The scope and methodologyof operationalrisk-mappingwere revised to measure entity risk exposure more effectively. This new methodology is part of the Group’s permanent control system and includes the operational risk, compliance, information system security, personal and property safety and permanent control functions. Measurementof risk exposure is based on a forward-lookingmodel which quantifies and classes risk scenarios and thus provides the Non-FinancialRisk Committeeswith the necessaryelementsto define their risk appetites. The mechanism was completed at end-2017 with an overhaul of forward-lookingrisk indicators. These indicators are produced from the mainrisks identified inthe non-financialrisk map. Finally, risk supervision and monitoring were improved through the drafting of reports aimed at providinga uniformmeasurementto the Group as awhole of its riskexposureand cost of risk. As of 2018, permanent controls of the operational risk system are implemented centrally based on statements provided to each function.The centralizationof controls aims to improve the oversight of action plansand ensurebetter data quality.

OPERATIONAL RISK OVERSIGHT Operational risk oversight within the Group is coordinated at two levels: at the level of each Group entity, the committee responsible for ● operationalrisks, prepared by the OperationalRisk function,can be combined with the Non-ComplianceRisk ManagementCommittee to form a Compliance and Operational Risk Management Committee; or it can be incorporated in the Executive Risk Management Committee, at the entity’s discretion. The committeeis responsiblefor adaptingthe risk managementpolicy and ensuring the relevance and effectivenessof the operational risk management system. It monitors the level of risks and the primary incidents through internal reports. It reviews major and recurring incidents, validates local risk mapping, and decides on corrective measures. It reviews Key Risk Indicator(KRI) breaches and decides on corrective measures. It is responsible for examining permanent controls carried out by the operational risk function and in particular any excessive delays in implementing corrective measures. It defines the organizational structure of the network of operational risk officers and oversees awareness-raisingmeasuresand training. At least twice a year it examinesany incidentsliable to triggerclaims (reconciliation between the operational risk incident database and the local and group claim databases) to highlight the net residual loss after the applicationof insurancecoverageand notes any necessarychangesin local insurance policies.The committeemeets once a quarter; at the Groupe BPCE level, a quarterly Non-Financial Risk ● Management Committee is responsible for cross-business relationships and coordination among the different functions contributing to Level 2 permanent controls. These include operational risk, compliance,informationsystem security, personal and property safety, contingencyand business continuity planning, and financial audits. Its mainduties areto: define the Group’s operational risk policies and standards, and - ensure their deployment throughout Group entities, assess the level of resources to be allocated to the operational - risk function, review major incidents within its remit and draw up a - consolidatedreport onlosses, incidentsand alerts, validate the aggregated map of operational risks at the Group - level and monitormajor risk positionsacross all Group businesses, including risks relating to non-compliance, financial audits, personal and property safety, contingency and business continuity planning, financial security and information system security (ISS), validate Group risk appetite indicators related to non-financial - risks as well astheir thresholds, decide on the implementation of overall corrective measures - affectingthe Group and monitor their progress.

11

197

Risk Report Pillar III 2017