NATIXIS_REGISTRATION_DOCUMENT_2017

RISKS AND CAPITAL ADEQUACY Operational risks

Operational risks 3.8

TARGETS AND POLICY 3.8.1

The standing members of the Operational Risk function, apart from the Head of the department,are the departments’Heads of OperationalRisk and the data & methodsofficer. Business-line Operational Risk Committees and support functions are offshoots of Natixis’ Operational Risk Committee. They closely manage each business line’s operational risk exposure. These Committees are organized according to the function’s governancematrix (location and business lines). They are chaired by the Head of the relevant business line with the participation of Compliance and are coordinated by the Operational Risk Department, which acts as Committee secretary. The structureof the functionmirrorsthe organizationof: the divisions under the responsibility of the operational risk a managers; the foreignofficesunderthe responsibilityof the operationalrisk a managers of the Americas, EMEA and Asia-Pacific platforms. They report hierarchicallyto the local Chief Risk Officer, and functionally to the Head of OperationalRisk; the supportand control functionsunder the responsibilityof an a operationalrisk manager covering – in addition to the activities within his or her remit – overall risks (loss of access to premises or information systems, or loss of employee availability)to whichNatixis is exposed. The function has some 60 staff members (operational risk managers) dedicated to operational risk management. Within their designated scopes (subsidiary, business line or support function), they are responsible for instilling the operational risk culture, reporting and analyzing incidents, mapping risks, proposing and following up corrective actions, compiling reports and escalating informationto management.Analyses are carried out across the Bank where the support or control functions are involved, or where the processes have an impact on teams, whetherin the front,middleor back office. Overseeing this framework is a single overarching information system that has been deployed across the Company’s entities, business lines and support functions in France and internationally.It is available in French and English and hosts all the components of the operational risk oversight system (incidents, mapping of quantified potential risks, risk management systems, key risk indicators, corrective actions, Committees, etc.).The accuracy of the information entered or approved by the operational risk managers is ensured through reconciliationwith informationfrom other functions (accounting, compliance, legal, IT Systems Security, data quality, insurance, etc.). The capital requirementsfor operationalrisk are calculatedusing the standardizedapproachfor all of Natixis’ operationaldivisions. However, Natixis uses an internal methodology to obtain an overall estimation of its level of exposure to operational risk by business line entity, geographic region and certain major risk situations.The methodologyrelies on a VaR calculationbased on risk mapping,factoring in identified incidentsfor backtestingand knownexternallosses.

3

As part of the definition of its risk appetite, and in accordance with the French Ministerial Order of November 3,2014, Natixis definedits operationalrisk tolerancepolicywith a view to limiting losses related to operationalrisks and regularlyreviewingactions to reduce risks. The policy sets out the governanceestablished, the quantitativeand qualitativemanagementframework,and the monitoringperformedthus far. It definessix operationalrisk managementcriteria: four quantitative indicators: one historical indicator measuring a the cost of risk, one forward indicator measuring the risk exposure,one individual indicator identifyingthe occurrenceof major incidents to be reported to the regulator, and an operationalrisk managementindicatormeasuringthe progress of correctiveactions; a qualitative indicator measuring the compliance of the a framework; a new indicatorfor cyber risk. a The operational risk management framework identifies, measures,monitorsand controlsthe level of operationalrisks for all of the Company’s business lines and support functions in Franceand abroad. The Operational Risk function is responsible for monitoring and managing risks arising from failures attributable to operating procedures, employees and internal systems or arising from outsideevents. Its duties as described in the operational risk policies and proceduresvalidated by the Natixis OperationalRisk Committee include: recording incidents via a network of OperationalRisk Officers a acrossall businesslines and supportfunctions; investigatingseriousincidentsincludingan escalationprocess; a qualitativeand quantitativemappingof potentialrisks; a linkswith other controlfunctions; a establishingkey risk indicatorsand environmentalvariablesof a a predictivenature. The mechanism is managed by Natixis’ Operational Risk Committee, a specialized body that oversees operational risk policy, monitors Natixis’ exposure and makes final decisions on hedging and reduction. It is the operational extension of the executive body and, as such, possesses full decision-making powers for issues within its area of responsibility. This Committee meets quarterly and is attended by Compliance, ITSS-BCand the Internal Audit Division.It is chaired by the Chief Executive Officer or his substitute the Chief Risk Officer, with the Head of the OperationalRisk Departmentacting as secretary. ORGANIZATION 3.8.2

147

Natixis Registration Document 2017