BPCE_PILLAR_III_2017

4 GOVERNANCE AND RISK MANAGEMENT SYSTEM Governance of risk management

Risk and Compliance functions Groupe BPCE’s Risk, Compliance and Permanent Control division (DRCCP) oversees the Group’s risk management, Compliance and permanentcontrol functions, focusing on the managementof credit, financial,operationaland non-compliancerisks, extendedto business continuity and financial audit functions, and information system security. It ensures that the risk policies of the affiliates and subsidiaries comply with those of Groupe BPCE. The Risk Management and Compliance departments of the Banque Populaire banks and Caisses d’Epargne have a strong functional link with Groupe BPCE’s Risk Managementdivision. The subsidiaries also bound by this strong functional link include Natixis, Crédit Foncier, Banque Palatine and BPCE International.The Risk Management and Compliance departments of subsidiaries not subject to the banking ORGANIZATION Relying on strong functional links, the Risk, Compliance and Permanent Control division (DRCCP) coordinates Groupe BPCE Risk and Compliance functions. The Risk, Compliance and Permanent Control Charter calls for the DRCCP to participate, at its own initiative, in the annual performanceassessmentof the heads of the permanent control functions, particularly risk and/or compliance, in consultation with the President of the Management Board or the Chief Executive Officer. More specifically, to coordinate cross-business projects, the DRCCP relies on the Governance and Coordination department. This department also handles day-to-day coordination of the entire system, which is supported by a strong functional link between the institutions’Risk Managementand Compliancedivisions and Groupe BPCE’s Risk, Compliance and Permanent Control division, and contributesto the overall monitoringof Group risk, mainlythrough: oversight and updates of key Risk and Compliance function ● documents suchas charters and standards; analysis of the Executive Risk Committeesof the Banque Populaire ● banks, the Caisses d’Epargne and the subsidiaries; coordinationof Risk Managementand Compliancefunction events ● through a series of national Risk Management and Compliance Days, including discussions and exchanges on risk- and compliance-relatedissues, presentationson the work done by the functions, training and sharing of best practices in the credit, financial, operational and compliance fields between all Group institutions. Risk Management and Compliance Days also present opportunities to strengthen group-wide solidarity in the risk management and/or compliance professions in today’s ever-changing regulatory environment. In addition, audioconferencesand regional meetingsare attendedby the Heads of Risk Management and Compliance of the networks and subsidiaries to addresscurrent topics andevents; a document library dedicated to the risk, compliance and ● permanent control functions; Governance and coordination

supervision regulatory framework have a functional reporting link with Groupe BPCE’s DRCCP. Group institutions are responsible for defining, monitoring and managing their risk levels, as well as producing reports and data for submissionto the centralinstitution’sDRCCP.They ensure the quality, reliability and completenessof the data used to control and monitor risks at the company level and on a consolidatedbasis, in line with Group risk standards andpolicies. To carry out their various projects,the Group’s institutionsrely on the Group’s Risk, Complianceand PermanentControl Charter. The charter specifies that each institution’s supervisory body and executive managers promote the risk managementculture at all levels of their organization. operational efficiency work (headcount benchmark standards, risk ● and compliance half-year reporting, risk appetite framework and the institutions’ macro risk map); support for new Heads of Risk Managementand/or Complianceof ● Groupe BPCE institutions via a special program; frequent trips to the Risk and Compliance departments of the ● BanquePopulairebanks and the Caissesd’Epargneto meet with the Heads of Risk Management and/or Compliance and their teams; in addition to the operationalcommitteemeetingsattended by the ● Group DRCCP, General Meetings are also held with the main BPCE subsidiaries (Natixis, Crédit Foncier, Banque Palatine and BPCE International) for a comprehensive review with the Head of the DRCCP; publication of a newsletter, “Our Network”, every four months for ● the heads of Group institutions and the heads of the various functions, including the Sales function. Another letter is sent out more frequently, summarizing current regulatory developments; an annual training program offered to all Risk and Compliance ● function employees, in conjunction with the Group Human Resources division. In addition, a university training course on “internal control and risk managementat financial institutions” is given at UniversitéParis-Dauphine.Participantsearn a degree upon successful completion of the course; and, in general, the practice of risk and complianceawarenessand ● sharing of best practices throughoutthe Group, in particular via a digital document library and the introductionof a new slogan for the risk and compliance functions: “long-termdevelopmentis our job, let’s movetogether”. The regulation division carries out the regulatory watch for the DRCCP scope and assists in Group projects with a regulatory component. It participates in industry-wide efforts in coordination with the Group’s other Regulatory divisions. The division also dispenses training and organizes awareness-buildingcampaigns for Group employees onregulatory issues.

64

Risk Report Pillar III 2017