BPCE_REGISTRATION_DOCUMENT_2017

3 RISK REPORT

General structure of Groupe BPCE’S internal control system

INTERNAL CONTROL COORDINATION COMMITTEE The President of the central institution’s Management Board is responsible for ensuring the consistency and effectiveness of the internal control system. A Group Internal Control CoordinationCommittee(CCCIG),chaired by the President of the ManagementBoard or his representative,meets periodically. This committee is responsible for dealing with all issues relating to the consistency and effectiveness of the Group internal control system,as well as the results of risk managementand internalcontrol work and follow-up work. The committee’s main responsibilitiesinclude: validating the Group’s Internal Control Charter, the Risk, ● Compliance and Permanent Control Charter and the Group Audit Charter; reviewing dashboards and reports on group control results, and ● presenting permanent control coordination initiatives and results; validating action plans to be implemented in order to achieve a ● consistent and efficient group permanent control system, and assessing progress made on corrective measures adopted subsequent to recommendations issued by the Group Inspection Générale division, the national or European supervisoryauthorities, and the permanentcontrol functions; reviewing the Group’s internal control system, identifying any ● shortcomings, and suggesting appropriate solutions to further secure the institutionsand the Group; reviewingthe allocation of resources with respect to risks incurred; ● presenting the resultsof institution controls or benchmarks; ● deciding on any cross-business initiatives or measures aimed at ● strengthening the Group’s internal control system; ensuring consistency between measures taken to strengthen ● permanentcontrol and risk areas identifiedduring the consolidated macro-level risk mapping exercise. This committee’s members include the member of the Executive Management Committee in charge of Risk, Compliance and Permanent Control and the Group Head of Internal Audit, who is a memberof the Group’s ExecutiveCommittee.The ManagementBoard member in charge of retail banking and Insurance is a standing member. If applicable, this committee may hear reports from operational managers about measures they have taken to apply recommendationsmade byinternal and external control bodies. GROUP RISK MANAGEMENT COMMITTEE: UMBRELLA COMMITTEE Its scope covers the entire Group (centralinstitution,networksand all subsidiaries). It sets the broad risk policy, decides on the global ceilings and limits for Groupe BPCE and for each institution,validates the authorization limits of other committees, examines the principal risk areas for Groupe BPCE and for each institution, reviews consolidated risk reports and approves risk action plans for the measurement, supervision and management of risk, as well as Groupe BPCE’s principalrisk standardsand procedures.It monitorslimits (Ministerial Order of November 3, 2014 on internal control, Article 226), particularly when overall limits are likely to be reached (Ministerial Order of November3, 2014 oninternal control,Article 229).

Overall risk limits are reviewed at least once a year and presented to the Group Risk Management Committee (Ministerial Order of November 3, 2014 on internal control, Article 224). The Umbrella Committee provides the Risk Management Committee of the Supervisory Board with proposed criteria and thresholds for the identification of incidents to be brought to the attention of the supervisorybody (MinisterialOrder of November 3, 2014 on internal control, Articles 98 and 244). It notifies the Group Risk Management Committeetwice ayear of the conditions under which the established limits were observed (Ministerial Order of November 3, 2014 on internal control,Article 252). At the same time, several committees are responsible either for defining shared methodology standards for measuring, managing, reporting and consolidating all risks throughout the Group, or for making decisions about risk projects with an IT component. Credit Risk/Commitment committees Several kinds of committeeshave been establishedto manage credit risk for the full Group scope, meeting at varying frequencies depending on their roles (ex-post or decision-makinganalysis) and their scope of authority. Financial Risk Committees The Group has also established decision-making and supervisory committees for both market and ALM risk. The frequency of their meetings istailored to institutional and Group needs. Non-Financial Risk Committee This committeemeets quarterlyand includesthe variousGroupeBPCE business lines affected by non-compliance and operational risks, while incorporating IT System Security, Business Continuity and Accounting Review issues. Its purpose is to validate the map of non-complianceand operationalrisks and the associatedaction plans at Group level, and to perform consolidated supervision of losses, incidents and alerts, including reports made to the ACPR under Article 98 of Ministerial Order A-2014-11-03 in respect of non-financialrisks. COMMITTEES SPECIFIC TO EACH DEPARTMENT

PERIODIC CONTROL

Structure and role of the Group’s Inspection Générale division

Duties In accordance with the central institution’s responsibilities and because of collective solidarity rules, the Group’s InspectionGénérale division has the task of periodically checking that all Group institutions are operating correctly and providing company directors with reasonable assurance as to their financialstrength. In this capacity, it ensures the quality, effectiveness,consistencyand proper operation of their permanent control framework and the management of their risks. The scope of the Group’s Inspection Générale division covers all risks, institutionsand activities,including those thatare outsourced.

114

Registration document 2017