NATIXIS_PILLAR_III_2017_EN

10 OPERATIONAL RISKS Targets and policy

Targets and policy 10.1 

As part of the definition of its risk appetite, and in accordance with the French Ministerial Order of November 3, 2014, Natixis defined its operational risk tolerance policy with a view to limiting losses related to operational risks and regularly reviewing actions to reduce risks. The policy sets out the governance established, the quantitative and qualitative management framework, and the monitoring performed thus far. It defines six operational risk management criteria: four quantitative indicators: one historical indicator measuring a the cost of risk, one forward indicator measuring the risk exposure, one individual indicator identifying the occurrence of

major incidents to be reported to the regulator, and an operational risk management indicator measuring the progress of corrective actions; a qualitative indicator measuring the compliance of the a framework; a new indicator for cyber risk. a The operational risk management framework identifies, measures, monitors and controls the level of operational risks for all the Company’s business lines and support functions in France and abroad.

Organization 10.2

The Operational Risk function is responsible for monitoring and managing risks arising from failures attributable to operating procedures, employees and internal systems or arising from outside events. Its duties as described in the operational risk policies and procedures validated by the Natixis Operational Risk Committee include: recording incidents via a network of Operational Risk Officers a across all business lines and support functions; investigating serious incidents including an escalation process; a qualitative and quantitative mapping of potential risks; a links with other control functions; a establishing key risk indicators and environmental variables of a a predictive nature. The mechanism is managed by Natixis’ Operational Risk Committee, a specialized body that oversees operational risk policy, monitors Natixis’ exposure and makes final decisions on hedging and reduction. It is the operational extension of the executive body and, as such, possesses full decision-making powers for issues within its area of responsibility. This Committee meets quarterly and is attended by Compliance, ITSS-BC and the Internal Audit Department. It is chaired by the Chief Executive Officer or his substitute the Chief Risk Officer, with the Head of the Operational Risk Department acting as secretary. The standing members of the Operational Risk function, apart from the Head of the department, are the departments’ Heads of Operational Risk and the data & methods officer. Business-line Operational Risk Committees and support functions are offshoots of Natixis’ Operational Risk Committee. They closely manage each business line’s operational risk exposure. These Committees are organized according to the function’s governance matrix (location and business lines). They are chaired by the Head of the relevant business line with the participation of Compliance and are coordinated by the Operational Risk Department, which acts as Committee secretary. The structure of the function mirrors the organization of: the divisions under the responsibility of the operational risk a managers;

the foreign offices under the responsibility of the operational risk a managers of the Americas, EMEA and Asia-Pacific platforms. They report hierarchically to the local Chief Risk Officer, and functionally to the Head of Operational Risk; the support and control functions under the responsibility of an a operational risk manager covering – in addition to the activities within his or her remit – overall risks (loss of access to premises or information systems, or loss of employee availability) to which Natixis is exposed. The function has some 60 staff members (operational risk managers) dedicated to operational risk management. Within their designated scopes (subsidiary, business line or support function), they are responsible for instilling the operational risk culture, reporting and analyzing incidents, mapping risks, proposing and following up corrective actions, compiling reports and escalating information to management. Analyses are carried out across the Bank where the support or control functions are involved, or where the processes have an impact on teams, whether in the front, middle or back office. Overseeing this framework is a single overarching information system that has been deployed across the Company’s entities, business lines and support functions in France and internationally. It is available in French and English and hosts all the components of the operational risk oversight system (incidents, mapping of quantified potential risks, risk management systems, key risk indicators, corrective actions, Committees, etc.). The accuracy of the information entered or approved by the operational risk managers is ensured through reconciliation with information from other functions (accounting, compliance, legal, IT Systems Security, data quality, insurance, etc.). The capital requirements for operational risk are calculated using the standardized approach for all of Natixis’ operational divisions. However, Natixis uses an internal methodology to obtain an overall estimation of its level of exposure to operational risk by business line entity, geographic region and certain major risk situations. The methodology relies on a VaR calculation based on risk mapping, factoring in identified incidents for backtesting and known external losses.

124

NATIXIS Risk report Pillar III 2017