BPCE - Risk Report - Pillar III 2020

3

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

It makes sure that all institutions, activities and corresponding risks are covered by comprehensive audits, performed at frequencies defined according to the overall risk level of each institution or activity, and at least every four years on average for banking activities. In so doing, it takes into account not only its own audits, but also those conducted by the supervisory authorities and the Internal Audit divisions. The annual audit plan is defined with the Chairman of the BPCE Management Board, and presented to the Group Internal Control Coordination Committee and the Supervisory Board’s Risk Management Committee. It is also transmitted to the national and European supervisors. Inspection Générale division audits contain recommendations prioritized by order of importance, which are regularly monitored (at least once every six months). The division reports the findings of its work to the executive managers of the audited companies and to their supervisory body. It also reports to the Chairman of the Management Board, the Supervisory Board’s Risk Committee and the Supervisory Board of BPCE. It provides them with a report on the implementation of its major recommendations, as well as those of the ACPR and the Single Supervisory Mechanism (SSM). It sees to the expedient execution of any corrective measures to the internal control system, in accordance with Article 26 of the Ministerial Order of November 3, 2014 on internal control, and may call on the Supervisory Board Risk Committee to address any measures that have not been executed. RELATIONS WITH THE PERMANENT CONTROL DIVISIONS OF THE CENTRAL INSTITUTION In the central institution, the Head of the Group Inspection Générale division maintains regular relations and shares information with the heads of the units in the scope of inspection, and more specifically with the divisions in charge of Level 2 controls. The heads of these divisions are responsible for notifying the Head of the Group Inspection Générale division in a timely manner of any disruption or major incident that comes to their attention. The Head of Groupe BPCE’s Inspection Générale division and the Heads of Group Risk Management and Group Compliance and Security notify each other in a timely manner of any inspection or disciplinary procedure initiated by the supervisory authorities and in general of any external audits brought to their attention. ACTIVITIES IN 2020 As part of the full cycle of investigations that it carries out over an average of four years, and based on a risk assessment that it regularly updates for each institution, the Inspection Générale division carried out its audit plan mainly in accordance with forecasts, with adjustments related to the public health crisis and lockdown in the first half of the year. It also monitored the implementation of the recommendations issued by itself, the French Prudential Supervisory and Resolution Authority (ACPR) and the Single Supervisory Mechanism (SSM) on a half-yearly basis, with a whistleblowing system that was ceased on June 30 – a system for reporting delays in implementing these recommendations to the Supervisory Board’s Risk Committee. However, the monitoring of recommendations on June 30 led to a report to the REPORTING Group

Supervisory Board’s Risk Committee in accordance with Article 26 of Ministerial Order A-2014-11-03 on internal control. Lastly, the whistleblowing system at the Group’s Inspection Générale division was reactivated for the period ending December 31, 2020.

AUDIT FUNCTION STRUCTURE OF THE AUDIT FUNCTION

The Group Inspection Générale division carries out its duties within the framework of business line operations. Its methods of operation – for the purposes of consolidated supervision and optimal use of resources – are set out in a charter approved by BPCE on December 7, 2009, which was last updated in July 2018. The aim of this structure is to cover all of the Group’s operational or functional units over a reasonable number of fiscal years, according to the associated risk, and to achieve efficiency between the various complementary audits conducted by the Internal Audits teams of Group entities. The Internal Audit divisions of the direct affiliates and subsidiaries are functionally subordinate to the Group Inspection Générale division and report to the executive branch of their entity. These ties are strictly replicated at the level of each company in the Group, which is itself a parent company. This strong functional subordination is also based on operating rules and the Group Internal Audit Standards applicable by the entire function. It is reflected as follows: the existence of a single group-wide Audit Charter. It defines • the end purpose, powers, responsibilities and general structure of the Internal Audit function in the overall internal control system, and applies to all Group companies supervised on a consolidated basis. This charter is implemented via thematic standards (audit resources, audit of the sales network, audit assignments, follow-up of recommendations, etc.); the appointment and dismissal of the Heads of Internal Audit • of affiliates or direct subsidiaries are subject to the prior approval of the Head of the BPCE Group Inspection Générale division; the annual evaluations of Heads of Internal Audit are • transmitted to the Head of the BPCE Group Inspection Générale division; the Group Inspection Générale division ensures that each • entity’s Internal Audit division holds the necessary resources to perform its duties and adequately cover the multi-year audit plan; the multi-year and annual audit programs carried out by the • Internal Audit divisions of the Group institutions are approved in conjunction with the Group Inspection Générale division; the Group Inspection Générale division is kept regularly informed of their completion or of any change in scope; the Group Inspection Générale division issues a formal letter • of opinion and, where applicable, any reservations on the multi-year audit plan, the quality of work performed and the audit reports submitted to the Group Inspection Générale division, and the resources allocated both in terms of number of employees and expertise; the Internal Audit division applies the standards and methods • defined and distributed by the BPCE Group Inspection Générale division, and refers to the audit guides which are, as a matter of principle, common to all Internal Audit function auditors;

38

RISK REPORT PILLAR III 2020 | GROUPE BPCE

www.groupebpce.com