BPCE - Risk Report - Pillar III 2020

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

in the course of conducting on-site audits, the Group • Inspection Générale division periodically verifies that Group companies comply with the Group Internal Audit standards. The following items are transmitted to the Group Inspection Générale division: the Internal Audit reports of the Group institutions, as they are • produced; the annual reports of the entities, prepared in accordance with • Articles 258 to 264 of Ministerial Order A-2014-11-03 on internal control, are submitted to the Group Inspection Générale division, which forwards them to the supervisory authorities; the presentations made by the Heads of Internal Audit to the • Risk Management Committees, and the minutes of these meetings; the presentations made to the supervisory body on internal • control activities and findings, and extracts of the minutes of the meetings where they were examined; the rules governing oversight of the Inspection business line • between Natixis and the central institution fall within the framework of the Group audit function. WORK PERFORMED IN 2020 Following the restructuring of the Group Inspection Générale division, carried out in 2020 as part of the OPAL project, the scope of intervention of the Coordination, Methods and Data department has been broadened. This expansion went together with a gradual strengthening of the teams in charge and a redeployment of the MOA support functions. In addition to its traditional duties as point of contact for methodology issues and maintenance of the normative and regulatory corpus, the Methods unit is now gradually participating in the work of closing the recommendations in support of the Principal Inspectors in order to optimize their tasks. After hiring a third employee, it has also worked to develop and strengthen close cooperation with the Data teams, notably through dedicated methodological projects. In addition, it has revamped the “customer protection” matrix to include key questions from audit guides covering the area. It prepared and coordinated the MAG 2020 (Group Audit Assignment) on the security of the private information system and GDPR. Moreover, it has drafted several methodological notes for IGG and Group Audit inspectors on the support system for vulnerable customers (relating to inclusion and bank fees) and on the use of the PRISCOP tool (the Group’s permanent controls centralization tool). It also helped to create a white paper defining a new audit methodology for the Group’s retail activities.

In order to better meet the data usage requirements with respect to assignments carried out by the Inspection Générale division, the Data team has seen its workforce practically double and now has six employees, three inspectors on secondment, a work-study employee and an intern. This strengthening of resources, which aims to achieve a balanced mix of skills (between data scientist and data analyst profiles), broadens the area of investigation covered and improves the quality of analyses, with greater support throughout the audit process. It also aims to upskill the workforce regarding data science techniques (OCR, web scraping, sampling). With this in mind, it has joined and participates in Groupe BPCE’s Data Science community, notably through webinars. In addition, in its role of supporting the Group’s audit function, the Data team has initiated a Data support process separate from the institutions’ Internal Audits, based on the identification of their levels and needs. Lastly, it revamped and launched the Group’s Retail risk assessment tool previously used by the IGG. The purpose of this work is to improve the process of supplying and reporting analysis results (by switching to a quarterly frequency). The system is now based on a combination of more than 130 risk indicators, with a view to a comparative assessment of the Group’s Retail institutions according to nine areas of macro-risk. It is intended to become a pre-diagnostic tool for an early-stage IGG audit assignment, as well as a component of the development (and adaptation) of the IGG’s multi-year audit plan (PPA) and of analyses of this plan specific to the Group’s institutions. In addition, following the reorganization of the support functions, part of the project management unit joined the Coordination, Methods and Data department with a view to streamlining and optimizing tasks and creating synergies with the other functions of the department. In addition to its responsibilities of supporting Groupe BPCE’s dedicated recommendations management tool (SAIG-RECO), the new team in place (comprising two employees) pressed on with its duties of assisting in the management and monitoring of the two major projects undertaken the previous year. As such, the Data team, as part of its activity of supporting audit assignments and the parallel development of R&D projects, is working to increase the capacity for data storing and processing in a more independent manner. The second project concerns the deployment of an Audit Management Solution (AMS) to increase efficiency (preparation of the multi-year audit plan, audit assignment, etc.) and to replace the current SAIG-RECO tool. Lastly, it worked on implementing a solution to remotely access the Group Retail Information Systems (BP and CEP) for IGG employees.

3

Structure of integrated control functions

The Risk division and the Corporate Secretary’s Office are responsible for permanent controls at Group level, and the Group Inspection Générale division for periodic control. The permanent and periodic control functions of affiliates and subsidiaries, subject to banking supervision, are functionally subordinate, as Consolidated Control departments, to BPCE’s corresponding Central Control divisions and report to their entity’s executive body.

These ties have been formally defined in charters for each function, covering: a standardized opinion on the appointments and dismissals of • Heads of permanent/periodic control functions at direct affiliates and subsidiaries; reporting, information and whistleblowing obligations; • drafting of standard practices by the central institution set out • in Group standards, definition or approval of control plans.

39

RISK REPORT PILLAR III 2020 | GROUPE BPCE