NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

The mechanism is managed by Natixis’ Operational Risk Committee which determines the operational risk policy, monitors Natixis’ operational risk exposure and makes final decisions on hedging and reduction. It is the operational extensionof the executivebody and of which it has full decision-making powers for issues within its area of responsibility. This quarterly Committee, in which the Finance division, the Compliance Department, including the Global Technology Risk Management business line, the Information Systems Department (Technology & Transformation), including the Data Office, the Enterprise Risk Management Department, the General InspectionDepartmentand the Operational Risk Department of Groupe BPCE take part, is chaired by the Chief Executive Officer, the Chief Risk Officer (his deputy), with the Head of OperationalRisks acting as secretary. The standing members of the Operational Risk function, apart from the Head of the department, are the departments’ Heads of Operational Risk and the Data, Methods & Projects Officer. The Operational Risk Committees of the business lines and support functions are offshoots of Natixis’ Operational Risk Committee, which closely manages the operational risk exposure of each scope. These Committees are organized according to the function’s governance matrix (location and business lines). They are facilitated by the Head of the Operational Risk Department acting as Committee secretary. Each Committee is chaired by the Head or manager of the Scope (business line or support function, depending on the entity) with the participationof operationalmanagers, support function representatives and the dedicated compliance managers. The structure of the function mirrors the organization of: the divisions under the responsibility of the operational risk V managers; geographical locations under the responsibility of the operational V risk managers of the Americas, Europe-Middle East-Africa and Asia-Pacific platforms reporting hierarchically to the local risk manager and functionally to the operational risk manager; the support and control functions under the responsibility of an V operational risk manager covering – in addition to the activities within his or her remit – overall and systematic operational risks (loss of access to premises or information systems, or loss of employee availability) to which Natixis is exposed.

The function has 75 FTEs dedicated to Natixis’ operational risk management. Within their designated scopes (subsidiary, branch, business line or support function), they are responsible for instilling the operational risk culture, recording and analyzing incidents, mapping risks, proposing and following up corrective actions, compiling reports and escalating information to management. Analyses are carried out across the Bank where the support or control functions are involved, or where the processes have an impact on teams, whether in the front, middle or back office. This framework is managed using a single information system that has been deployedacross the Company’sentities, business lines and support functions in France and internationally. This internal tool is available in French and English and hosts all the components of the operational risk oversight system (incidents, risk mapping, risk management systems, key risk indicators, corrective actions, Committees, etc.). The accuracy of the information entered or approved by the operational risk managers is ensured through reconciliation with information from other functions (finance, compliance, legal, Information Systems Security, data quality, insurance, etc.). The calculation of capital requirements for operational risk is established using the standard method for all Natixis operating divisions in cooperation with Enterprise Risk Management. For the purposes of managing its economic capital, Natixis uses an internal methodology to obtain an overall estimation of its level of exposure to operational risk by business line entity, geographic region and certain major risk situations. The methodology relies on a value at risk (VaR) calculation based on risk mapping, factoring in identified incidents for backtesting and known external losses.

144

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021