Société Générale / Risk Report - Pillar III

9 OPERATIONAL RISK

OPERATIONAL RISK MONITORING PROCESS

OPERATIONAL RISKMONITORING PROCESS 9.2

Risk and control self-assessment Under the Risk and Control Self-Assessment (RCSA), each manager assesses the exposure to operational risks to which each entity within the relevant scope is exposed through the activities in order to improve their management. The method defined by the Group consists of taking a homogeneous approach to identifying and evaluating operational risks and frameworks to control these risks, in order to guarantee consistency of results at Group level. It is based notably on a repository of activities. The objectives are as follows: identifying and assessing the major operational risks (in average p amount and frequency of potential loss) to which each activity is exposed (the intrinsic risks, i.e. those inherent in the nature of an activity, while disregarding prevention and control systems). Where necessary, risk mapping established by the functions (e.g. Compliance, Information Systems Security, etc.) contributes to this assessment of intrinsic risks; assessing the quality of major risk prevention and mitigation p measures; assessing the risk exposure of each activity that remains once the p risk prevention and mitigation measures are taken into account (the “residual risk”), while disregarding insurance coverage; remedying any shortcomings in the prevention and control systems, p by implementing corrective action plans and defining key risk indicators; if necessary, in the absence of an action plan, risk acceptance will be formally validated by the appropriate hierarchical level; adapting the risk insurance strategy, if necessary. p Key risk indicators Key risk indicators (KRIs) supplement the overall operational risk management system by providing a dynamic view (warning system) of changes in business risk profiles. Their follow-up provides managers of entities with a regular measure of improvements or deteriorations in the risk and the environment of prevention and control. A cross analysis of Group-level KRIs and losses is presented to the Group’s Executive Committee on a quarterly basis via a specific dashboard. Analyses of scenarios The analyses of scenarios serve two purposes: informing the Group of potential significant areas of risk and contributing to the calculation of the capital required to cover operational risks. These analyses make it possible to build an expert opinion on a distribution of losses for each risk category and thus to measure the exposure to potential losses in scenarios of very severe severity, which can be included in the calculation of the prudential capital requirements. In practice, various scenarios are reviewed by experts who gauge the severity and frequency of the potential impacts for the Group by factoring in internal and external loss data as well as the internal framework (controls and prevention systems) and the external environment (regulatory, business, etc.).

The Group’s main frameworks for controlling operational risks are as follows: collection of internal losses and significant incidents and analysis of p external losses; self-assessment of risks and controls; p oversight of risk indicators; p development of scenario analyses; p framing new products; p management of outsourced services; p Societe Generale’s classification of operational risks in eight event categories and 58 risk categories forms the cornerstone of its risk modelling, ensuring consistency throughout the system and enabling cross-business analyses throughout the Group. The eight event categories are as follows: commercial litigation; p disputes with authorities; p errors in pricing or risk evaluation including model risk; p execution errors; p fraud and other criminal activities; p rogue trading; p loss of operating resources; p IT system interruptions. p Collection of internal loss and significant incident data Internal losses have been compiled throughout the Group since 2003, in addition to significant incident data since 2019. The process: defines and implements the appropriate corrective actions; p achieves a deeper understanding of risk areas; p enhances awareness and vigilance with respect to operational risks p in the Group. Losses (or gains or near-misses) are reported from a minimum threshold of EUR 10,000 throughout the Group, except for global market activities, where the threshold is EUR 20,000. Incidents without financial impact are also reported when they are deemed significant according to their impact, in particular on contractual commitments, reputation, day-to-day operations, risk appetite or the level of regulatory compliance of the Group. Analysis of external losses External losses correspond to the data on operational losses suffered by the banking and financial sector, provided by databases managed by external providers, as well as the data shared by the banking industry as part of consortiums. These data are used to enhance the identification and assessment of the Group’s exposure to operational risks. crisis management and business continuity; p information systems security management; p

182

PILLAR 3 - 2020 | SOCIETE GENERALE GROUP |