BPCE - Risk Report - Pillar III 2020

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

Both divisions perform Level 2 supervision of certain processes used to prepare financial information and implement a Group Level 2 permanent risk control system covering matters of governance, risk, organization, the work of the Risk and Compliance functions, and the implementation of standards, norms and charters. In the Corporate Secretary’s Office, the main role of the Permanent Control Coordination department is to coordinate the Group’s Level 1 and 2 permanent control system. To that end, it: proposes standards and methodological guides for the • exercise of permanent control in Groupe BPCE; monitors the application of control standards, i.e. the • framework document governing the Group’s permanent control system – operational adaptation of the Internal Control Charter – and the control sampling standard, which is based on random, representative samples. To that end, all annual control plans of retail banking institutions are centralized and analyzed each year;

assists the business lines in the review of controls and to • ensure their risk coverage is complete. The various permanent control standards are overseen and constantly updated and expanded in the tool; performs consolidated reporting of control results for the • Group Internal Control Committee; ensures the management of the system and the central • functional administration of the permanent repositories of controls/users/entities. The first mapping exercises and the input of action plans were carried out this year in the modules deployed. Developments increasing the reliability of first-level controls have enabled institutions to improve the quality of their system. The project to automate the annual control plans began in Q4 2020. The project of integrating new subsidiaries into the Group’s permanent control system was also finalized during this year. Other central functions also contribute to the permanent control system, such as the Legal Affairs division and the Group Human Resources division for certain issues affecting the pay policy.

3

HIGHLIGHTS The management of the Covid-19 crisis required an organization adapted to health restrictions, in particular in points of sale receiving customers. The Group’s local banking control plan was adapted to this exceptional situation to factor in the availability of teams working in the institutions. During the lockdown, permanent controls were prioritized in the high-risk areas defined by the risk business lines concerned, in particular in financial security, internal and external fraud, LCR and collateral. Efforts were also made to complete the first-quarter checks on the compliance of customer regulatory files. New credit risk controls have been defined for controls on state-guaranteed loans.

Periodic Control (Level 3)

STRUCTURE AND ROLE OF THE GROUP INSPECTION GÉNÉRALE DIVISION DUTIES

the effective implementation of recommendations from • previous audits and issued by the regulatory authorities. Reporting to the Chairman of the Management Board, the Group Inspection Générale division performs its duties independently of the Operational and Permanent Control divisions. REPRESENTATION ON GROUP GOVERNANCE BODIES AND RISK MANAGEMENT COMMITTEES In the interest of exercising its duties and contributing effectively to the promotion of an auditing culture, the Head of the Group Inspection Générale division takes part, without voting rights, in the central institution’s key Risk Management Committees. As indicated above, the Head of the Group Inspection Générale division is a member of the Group Internal Control Coordination Committee and has a standing invitation to participate in the Supervisory Board’s Risk Committee and the Audit Committee of BPCE, the Risk Committee and Audit Committee of Natixis, and the Risk Committee and Audit Committee of the Group’s main subsidiaries (BPCE International, Crédit Foncier, Banque Palatine). SCOPE OF AUTHORITY To fulfill its duties, the Group Inspection Générale division establishes and maintains an inventory of the Group’s auditing scope, which is defined in coordination with the Internal Audit departments of the Group institutions.

In accordance with the duties incumbent on the central institution, and pursuant to the rules of collective solidarity, the Group Inspection Générale division is responsible for periodically verifying the operation of all Group institutions and providing their executive managers with reasonable assurance of their financial strength. In that role, it ensures the quality, effectiveness, consistency and efficiency of their permanent control system as well as their risk management. The division’s scope of authority covers all risks, all institutions and all activities, including those that are outsourced. Its top priorities are to assess and to report to the executive and decision-making bodies of the entities and the Group as a whole on: the quality of its organizational structure and management; • the consistency, adequacy and operation of risk assessment • and management systems; the reliability and integrity of accounting and management • information; compliance with the laws, regulations and rules applicable to • Groupe BPCE or each company; the quality of its financial position; • the level of risks actually incurred; •

37

RISK REPORT PILLAR III 2020 | GROUPE BPCE