NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Operational risk monitoring

3.2.7.3

Risk mapping Risk mapping is central to operational risk monitoring:

Analysis of changes in the risk profile of the businesses and support functions

RCSA

Incidents with financial, legal, and regulatory impacts

Control environment assessment

KRI

Qualitative evaluation of businesses and support function controls

Qualitative evaluation of business line and support function policies and procedures

Incidents

Qualitative assessment of the HR profile of support functions

Mitigation actions decided by Committees

Controls

P&P

HR

3

Qualitative assessment of businesses and support functions risks by the risk owners

Risk Map

Quantitative backtesting

RMS

Net Risk

Gross Risk

RCSA

Mitigation actions decided by Committees

Regulatory environment / Compliance Division

Permanent control / Compliance Division

Annual review of first level controls based on risk assessment Results of first level controls. Each control is associated with one or several risks

Domestic and international regulations

Non Compliance Risk

PCL1 & 2

PCL1 & 2

Financial industry businesses & Operational environment

External database, public incidents since 1995

Scenario analysis on major risks

Mitigation actions decided by Committees

Incidents database

KRI: Key Risk Indicator RMS: Risk Management System RCSA: Risk Control & Self Assessment HR: Human Resources P&P: Policies and procedures

The department in charge of operational risks, together with each business line, entity or support function and in consultationwith the other control functions, manages the review of the operational risk mapping. The latter is based on the identification and descriptive analysis of risks, the quantificationof these risk situations (definition of an average frequency, an average loss and a maximum loss), taking into account existing risk management systems. This mapping, based on the analysis of processes, is carried out on all of the bank’s activities. A history of internal incidents is used to check the consistency of the results obtained (backtesting), as well as the analysis of the findings of internal audits and results of permanent controls.

The risk mapping process serves to identify Natixis’ exposed business lines and its biggest risks in order to be able to manage them through corrective action and indicators. The mapping of extreme risk situations (i.e. of very low frequency and severe impact, such as regulatory fines, major natural disasters, pandemics, terrorist attacks, etc.) is based on the use of external data including data on financial industry incidents.

145

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021