NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

In addition to the risk mapping, more than 600 KRIs (key risk indicators) are set up, with limits and monitored at regular intervals, aiming to dynamically detect changes in operational risk exposure. They apply either to Natixis (overall indicators), to the business lines, or to the support functions that, with the operational risk manager, set the indicators as relevant early warning indicators during the mapping process. These indicators are submitted to the Operational Risk Committee for approval. Any breach of their thresholds, that is the subject of a systematicalert, may trigger action to be carried out immediately or requiring OR Committee approval.

defined threshold or deemed serious by the business line and the Head of the Operational Risk Department) are reported immediately to the business line’s management and to Natixis’ Chief Risk Officer. Following an investigation involving all relevant parties, the operational risk manager of the business line compiles a standardized full report, including a factual description of the event, the analysis of the initial cause, the descriptionof the impact and the proposed corrective actions. At all levels of the Company, the business line Operational Risk Committees review their serious incidents. They decide on the implementation of corrective actions, propose the associated deadlines and deliverables, and monitor progress. The entities and business lines can decide to apply these measures to their own threshold, which is lower than that of Natixis and consistent with its activity and level of risk. Overall trend of reported incidents In 2021, 3,241 incidents that occurred in the year (representing 4,288 single incidents) were entered into the recording tool by the Natixis business lines.

Identifying losses and incidents Recording and analyzing incidents

Incidents are recorded throughout the year. From a threshold of declaration set at respectively€5,000 for the Corporate& Investment Banking and Asset Management business lines and €1,500 for the Payments, Insurance and Wealth Management businesses. A single definition of “serious incident” is used, in compliance with Groupe BPCE standards (€300,000 gross). All serious incidents (above the

Breakdown of the volume of incidents by activity and year of occurrence

2,500

2019 2020 2021

2,180

2,104

2,000

1 426

1,500

1,000

832

536

511

457

473 468

425 353

500

339 345 263

318

92 60 49

1

1

0

Asset & Wealth Management

Payments

Functional Departments

Corporate and Investment Banking

Insurance

Financial Investments

Works Council

Global and Systemic Risks - Paris

Percentage breakdown of the net amount of incidents by Basel category and year of occurrence

100 % 80 % 60 % 40 % 20 % 0 % -20 %

2019 2020 2021

85.35 %

75.62 %

63.30 %

20.59 %

17.49 %

14.85 %

9.91 %

4.34 %

1.69 % 1.30 %

0.10 % 1.68 % 0.02 %

1.42 % 0.60 %

0.58 % 1.16 %

0.00 % 0.01 % 0.01 %

-0.02 %

External fraud

Execution, delivery and procedures

Business interruption and system malfunctions

Damage to property, plant and equipment

Employment and workplace safety practices

Commercial customers, products and practices

Internal fraud

146

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021