Société Générale / Risk Report - Pillar III

9 OPERATIONAL RISK

OPERATIONAL RISK MONITORING PROCESS

Governance is established in particular, to: allow the approval of the annual scenarios update programme by p the Risk Committee (CORISQ); allow the approval of the scenarios by the senior management of p the Business and Corporate Divisions, through the Internal Control Coordination Committees of the departments involved or through ad hoc meetings; conduct an overall review of the Group’s risk hierarchy and of the p suitability of the scenarios through CORISQ. New product committees Each division submits their new product proposals to a New Product Committee (commercial products only). The committee, jointly coordinated by the Risk Division and the relevant businesses, is a decision-making body which decides the production and marketing conditions of new products to customers. The committee aims to ensure that, before any product launch, all types of induced risks (credit, market, liquidity and refinancing, country, operational, legal, accounting, tax, financial, information systems risks as well as the risks of compliance, reputation, protection of personal data and corporate social responsibility risks, etc.) have been identified, assessed and, if necessary, subjected to mitigation measures allowing the acceptance of residual risks. The definition of “new product” extends from the creation of a new product or service to the development of an existing product or service as soon as this development is likely to generate different or higher risks. The development may be linked to matters such as a new regulatory environment, to marketing on a new scope or to a new type of clientele. Outsourcing of services Some banking services are outsourced outside the Group or within the Group (e.g. in our shared service centres). These two subcontracting channels are supervised in a manner adapted to the risks. A framework with standards and a tool helps ensure that the operational risk linked to outsourcing is controlled, and that the conditions set by the Group's approval are respected. It helps to map the Group's outsourcing with an identification of the activities and BU/SU concerned, and to put outsourcing under control with knowledge of risks and with suitable supervision. During the study phase, the businesses decide on the outsourcing of services within the framework of standards set by the Group. Outsourcing projects are led by a project manager and validated by the sponsor who accepts the residual risk level after a risk analysis based on expert opinions. This ensures the consistency of the assessments and the consistency of decisions across the Group. The analysis includes, at a minimum, operational risks (including fraud, execution risk, etc.), legal, tax, non-compliance, reputation, supplier, human resources, social and environmental responsibility, business continuity risks, risks related to data quality, and risks related to information security and data protection. Legal experts use the same definition of essential outsourcing of services as that defined in the Decree of 3 November 2014. All outsourced services are then monitored at a frequency defined by their level of risk. Services at Group level are subject to reinforced monitoring through very regular contractual monitoring. These services are identified using criteria such as the concept of "core business activity", financial

impact and reputation risk. These services are validated by a dedicated committee, chaired by the Operational Risk Department.

A closing phase is used to manage the outflow of services.

Crisis management and business continuity

The crisis management and business continuity systems aim to mitigate as far as possible the impacts of potential incidents on customers, staff, activities and infrastructure, thus protecting the Group’s reputation, the image of its brands, and its financial resilience. These systems also satisfy regulatory requirements. The approach used to implement and track the business continuity systems of each Group entity is based on a methodology that meets international standards. 2018-2020 IT security master plan With investments amounting to EUR 650 million in the last three years, the IT security master plan places cybersecurity at the centre of the trusted digital relationship between Societe Generale and its customers. The assessment of cyber risks and measures to strengthen our IT security are managed using a dashboard shared quarterly with the Group's management. Structured around a set of key risk indicators (KRI) covering the eight standard categories of IT security risks recommended by the regulatory authorities and standards bodies (ACPR, EBA, NIST, etc.), the dashboard is a means of verifying compliance with the Group's risk appetite and the effectiveness of action plans. A cyber risk insurance policy has been taken out amid an environment not specific to the banking sector which is seeing a rapid development of new forms of crime mainly involving data theft or the compromise or destruction of computer systems. In terms of awareness, a multi-language e-learning module on information security is mandatory for all internal Group staff and for all service providers who use or access our information system. At the end of 2019, 97% of Societe Generale Group employees had validated the training. A specific e-learning module for the executive assistants of the Group Executive Committee was introduced at the end of 2019. Owing to their close working relationship with members of the Group's Executive Committee, executive assistants can represent a target of choice for fraudsters and other cyber pirates. The purpose of the e-learning module is to develop their awareness of the risks of social engineering and attempts at fraud. Societe Generale also offers traineeships to more than 2,500 trainees every year. A letter of confidentiality is now systematically sent to them to be signed before they take up their post. The Group organises dedicated onboarding sessions for them, in particular to remind them of the information protection rules in force in the Group; for example, they are required to have the content of their traineeship report validated by their manager before it is circulated externally. In addition, specific awareness-raising actions, not only for employees but also for customers, are carried out throughout the year (conferences, demonstrations, workshops, etc.). For example, fake phishing emails are sent to all employees, at least twice a year, to teach them to detect a suspicious email and send them the right reflexes. Since the first campaigns in 2015, the number of link clicks or attachment openings has halved, and the rate of reporting suspicious messages to security teams has almost tripled.

183

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020