Société Générale / Risk Report - Pillar III

3 RISKMANAGEMENT ORGANISATION RISK APPETITE

cybersecurity: The Group has no tolerance for fraudulent intrusions, p in particular those resulting in the theft of customer data or a major operational disruption. The Bank intends to introduce effective means to prevent and detect this risk. It is adequately organised to deal with any incidents; data leaks: trust is one of the Group’s key assets. As a result, the p Bank is committed to deploying the necessary resources and implementing controls to prevent, detect and remedy data leaks. The bank does not tolerate leaks of its most sensitive information, in particular where it concerns its customers; business continuity: the Group relies heavily on its information p systems to carry out its operations and is therefore committed to deploying and keeping its information systems resilient so that they can ensure the continuity of its most essential services. The Bank has very low tolerance for the risk of unavailability of its information systems that take care of its essential functions, in particular when it comes to systems directly accessible to its customers or those allowing it to conduct business on the financial markets; outsourced services: the Group intends to demonstrate a high p degree of thoroughness in the control of its activities entrusted to external service providers. As such, the Group adheres to a strict discipline of monitoring its providers with a review frequency depending on their level of risk. Structural interest rate and exchange rate risks, Risks on Pension/Long-Service Obligations The Group measures and strictly controls structural risks. The mechanism to control interest rate risk, foreign exchange risk and the risk on pension/long-service obligations is based on sensitivity or stress limits which are broken down within the various businesses (entities and business lines). There are four main types of risk: rate level risk; curve risk, related to the term structure of the instruments in the banking book; optional risk (arises from automatic options and behavioral options) and basis risk, related to the impact of relative changes in interest rates indices. The Group’s structural interest rate risk management primarily relies on the sensitivity of Net Present Value (“NPV”) of fixed-rate residual positions (excesses or shortfalls) to interest rate changes according to several interest rate scenarios. Limits are set by the Finance Committee or the Board of Directors at the Business Unit/Service Unit and Group levels. Furthermore, the Group measures and controls the sensitivity of its net interest margin (“NIM”) to +/ 10 bp interest rates shocks, on a sliding 2-year horizon. The Group’s policy consists of requesting entities to hedge their exposure to currency fluctuations by endorsing all on and off-balance sheet positions and controlling residual exposure by setting low limits. In addition, at the Group level, the hedging policy consists of reducing, as far as possible, the sensitivity of its CET1 ratio to fluctuations in exchange rates. Regarding risks on pension/long-service obligations, which are the bank’s long-term obligations towards its employees, the amount of the provision is monitored for risk on the basis of a specific stress test and an attributed limit. There are two main objectives of the risk management policy: reduce risk by moving from defined-benefit plans to defined-contribution plans, and optimize asset risk allocation

(between hedge assets and performance assets) where regulatory and tax constraints allow.

Liquidity and Funding risks Liquidity risk calibration and control is based on:

two complementary metrics, the Business as Usual (BAU) static gap, p that measures the price risk, meaning the economic risk, without taking into account new productions in a non-stressed environment (no impact on assets prices, for instance). And the Combined (CMB) stressed dynamic gap, used to measure the lethal risk. That risk is asymmetrical - i.e . the risk that the Group could not meet all its liquidity commitments in a stressed environment due to a short liquidity position; maintaining sufficient liquidity reserve in an amount and quality to p cover short-term financial obligations in stress scenarios; controlling “liquidity gaps” in the principal business lines and p entities to control the risk of inconsistent maturities between cash inflows and outflows. Funding risk calibration and control is based on: maintaining a liabilities structure designed to meet Group p regulatory requirements (Tier1, Total Capital, Leverage, TLAC, NSFR and MREL ratios) and rating agency requirements in order to secure a minimum rating level; capping use of market funding (in particular, overnight and p short-term) and of short term financing raised by treasuries; diversifying the Group’s funding sources by maturity, market, p currency and counterparty; healthy and prudent management of treasury/ALM transactions as p determined by the Group to meet the requirements of the Law on the Separation and Regulation of Banking Activities (Loi de Séparation et de Régulation des activités bancaires) ; maintaining an available collateral volume which ensures access to p secured debt markets, as well as access to ECB facilities, if necessary. Model risk Societe Generale is committed to defining and deploying internal standards to reduce model risk, on the basis of key principles, including the establishment of three independent lines of defense, a proportionality approach (i.e. modular standards depending on the inherent level of risk associated with each model), a comprehensive analysis of the model risk (end-to-end view of the model lifecycle) and the consistency of the approaches used within the Group. Risks related to Insurance The Group conducts Insurance activities (Life Insurance and Savings, Retirement savings, Property & Casualty Insurance, etc.) which exposes the Group to two major types of risks: subscription risk related to pricing and claim rates deterioration; p risks related to financial markets (interest rate, credit and equity) p and asset-liability management.

21

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020