Société Générale / Risk Report - Pillar III

9 OPERATIONAL RISK

ORGANISATION OF OPERATIONAL RISK MANAGEMENT

Operational risk is the risk of losses resulting from inadequacies or failures in processes, personnel or information systems, or from external events. Included in the eight risk categories outlined in section 9.2, operational risk encompasses the following risks: IT and Information Systems Security risks (cybercrime, IT p systems failures, etc.); Risks related to outsourcing of services and business p continuity; non-compliance risk (including legal and tax risks): risk of p court-ordered, administrative or disciplinary sanctions, or of material financial loss, due to failure to comply with the provisions governing the Group’s activities;

reputational risk: risk arising from a negative perception on the p part of customers, counterparties, shareholders, investors or regulators that could negatively impact the Group’s ability to maintain or engage in business relationships and to sustain access to sources of financing; misconduct risk: risk resulting from actions (or inactions) or p behaviour of the Bank or its employees inconsistent with the Group’s Code of Conduct, which may lead to adverse consequences for our stakeholders, or place the Bank’s sustainability or reputation at risk. The framework relating to the risks of non-compliance, reputation and inappropriate conduct is detailed in Chapter 12 “Compliance and reputational risk, litigation”.

ORGANISATION OF OPERATIONAL RISK 9.1 MANAGEMENT

The Group operational risk management framework, other than non-compliance risks detailed in Chapter 12 “Compliance and reputational risk, litigation”, is structured around a two-level system with the following participants: a first line of defence in each core business/activity, responsible for p applying the framework and putting in place controls that ensure risks are identified, analysed, measured, monitored, managed, reported and contained with the limits set by the Group-defined risk appetite; a second line of defence: the Operational Risk Department within p the Group’s Risk Division. In particular, the Operational Risk Department: conducts a critical examination of the BU/SUs management of p operational risks (including fraud risk, risks related to information systems and information security, and risks related to business continuity and crisis management); sets regulations and procedures for operational risk systems and p production of cross Group analyses; produces risk and oversight indicators for operational risk p frameworks. To cover the whole Group, the Operational Risk Department has a central team supported by regional hubs. The regional hubs report back to central, providing all information necessary for a consolidated overview of the Bank’s risk profile that is holistic, prospective and valid for both internal oversight purposes and regulatory reporting. The regional hubs are responsible for implementing the Operational Risk Division's briefs in accordance with the demands of their local regulators. The Operational Risk Department communicates with the first line of defence through a network of operational risk correspondents in each core business/activity of the BU/SUs. Concerning risks specifically linked to business continuity, crisis management and information security, the Operational Risk

Department carries out the critical review of the management of these risks in connection with the Group Security Division. Specifically, regarding IT risks, the Operational Risk Department carries out the critical review of the management of these risks in connection with the Resources and Digital Transformation Department. Second-level control The second line of defence against operational risk consist in the verification of the definition and efficient conduct of first-level controls, particularly examining the results of first-level controls in terms of quantitative and qualitative aspects, notably as regards the rates of realisation, level of anomaly, etc. This review also makes it possible to check the effectiveness and relevance of control implementation based on key controls and risk type, remedial action plans. In accordance with the internal control framework, the level 2 risk permanent control teams exercise second-level control for operational risk, encompassing the risks specific to each business (including the operational risk associated with credit and market risks) as well as those related to sourcing, communications, property, human resources and IT systems. Risk related to security of property and people The Group Security Division (SEGL/DSG) is in charge of establishing a forward-looking overview of security, allowing to assess threats and identify weak signals, forewarning and protecting persons, Group's physical and intangible assets. Also coordinate the planning of actions to maintain the Bank’s critical activities under all circumstances, and assist crisis management if necessary. SEGL/DSG acts as first line of defence (LoD1 expertise) on issues of security.

To this end, the Division's main roles are as follows: defining a Group-level overview of security issues; p

180

PILLAR 3 - 2020 | SOCIETE GENERALE GROUP |