BPCE_PILLAR_III_2017

11 NON-COMPLIANCE RISKS, SECURITY AND OPERATIONAL RISKS Operational risks

Incidentand loss data collection Incident data are collected to build knowledge of the cost of risks, continuously improve management systems, and meet regulatory objectives. An incident log (incident database) was created to: broaden risk analysis and gain the knowledge needed to adjust ● action plansand assess their relevance;

produce COREPregulatory half-year operational risk statements; ● produce reports for the executive and governing bodies and for ● non-management personnel; establish arecord that canbe used for operational risk modeling. ● Incidents are reported as they occur, as soon as they are detected, in accordance withGroup procedure.

Operational risk monitoring

MAPPING The operationalrisk managementsystem relies on a mapping process which isupdated annually by all Group entities. Mapping enables the forward-looking identification and measurement(using expert opinion and combined with quantitative analysis which includes scenarios taken from external events) of high-riskprocesses.For a given scope, it allows the Group to measure its exposureto risks for the year ahead. This exposureis then assessed and validated by the relevant committees in order to launch action plans aimed at reducing exposure. The mapping scope includes emerging risks, IS risks (including cyber risk), and non-compliance risks. This same mapping mechanism is used as part of the Group’s ICAAP to identify and measure the Group’s main operational risks. The Incidentalert procedure The alert procedure for serious incidents has been extended to the entire scope of Groupe BPCE. The aim of this system is to enhance and reinforce the system for collecting loss data across the Group. An operational risk incident is deemed to be serious when the potential financial impact at the time of detection is over € 300,000, or over € 1 million for Natixis. Operational risk incidents with a

operational risk map also serves as a basis for the macro-level mappingof institutionalrisks.

ACTION PLANS AND MONITORING OF CORRECTIVE ACTIONS

Corrective actions are implementedto reduce the frequency, impact or spread of operationalrisks. They may be introduced following risk mapping, breaches of risk indicator thresholds or specific incidents. Progresson key actions is monitoredby each entity's OperationalRisk Management Committee. At Group level, progress on action plans for the principal risk areas is also specifically monitored by the Non-Financial Risk Management Committee.

material impact on the image and reputation of the Group or its subsidiaries are also deemed to be serious. There is also a procedurein place coveringmaterial operationalrisks, within the meaning of Article 98 of the Ministerial Order of November 3, 2014, for which the minimumthresholdis set at 0.5%of Common EquityTier 1.

198

Risk Report Pillar III 2017