Société Générale / Risk Report - Pillar III

3 RISKMANAGEMENT ORGANISATION RISK MANAGEMENT ORGANISATION

RISKMANAGEMENT ORGANISATION 3.5

Implementing a high-performance and efficient risk management structure is a critical undertaking for Societe Generale in all businesses, markets and regions in which it operates, as is maintaining a balance between strong awareness of risks and promoting innovation. The Group’s risk management, supervised at the highest level, is compliant with the regulations in force, in particular the Order of 3 November 2014 relating to the internal control of companies in the banking sector, payment services and investment services subject to the control of the French Prudential Supervisory and Resolution Authority ( Autorité de contrôle prudentiel et de résolution – ACPR) and European Regulations Basel 3 (CRR/CRD). (See Board’s Expertise, p. 86 of the 2020 Universal Registration Document.) The main objectives of the Group’s risk management strategy are: to contribute to the development of the Group’s businesses and p profitability by defining the Group’s risk appetite in conjunction with the Finance Division and the business divisions; to contribute to the Group’s sustainability by establishing a risk p management and monitoring system; to reconcile the independence of the risk management system (with p respect to the businesses) with close collaboration with the core businesses, which have primary responsibility for the transactions they initiate. Governance of risk management Two main high-level bodies govern Group risk management: the Board of Directors and General Management. General Management presents the main aspects of, and notable changes to, the Group’s risk management strategy to the Board of Directors at least once a year (more often if circumstances so require). Within the Board of Directors, the Risk Committee (see Art. 11 of the Internal rules of the Board of Directors, p. 91 of the 2020 Universal Registration Document) advises the Board of Directors on overall strategy and the appetite regarding all kinds of risks, both current and future, and assists the Board when it verifies the implementation of this strategy. The Board of Directors’ Audit and Internal Control Committee (see Art. 10 of the Internal Rules of the Board of Directors, p. 90 of the 2020 Universal Registration Document) ensures that the risk control systems operate effectively. Chaired by General Management, the specialised Committees responsible for central oversight of internal control and risk management are as follows: the Risk Committee (CORISQ), which met 17 times in 2019, defines p the Group’s key priorities in terms of risk (credit, country, market and operational risks), within the framework of the risk appetite and financial targets set by the Group Strategy Committee, and monitors compliance in such respect. Subject to the powers attributed to the Board of Directors, the CORISQ, based on proposals from the Risk Division, takes the main decisions relating to the management of various risks (credit risks, country risks, market and operational risks). The Group also has a Large Exposures Committee, which is responsible for approving the sales and marketing strategy and risk-taking with regard to major client groups; the Finance Committee (COFI) is responsible for setting out the p Group’s financial strategy and for managing scarce resources (capital, liquidity, balance sheet, tax capacity) in the context of the allocation and the management of structural risks. The COFI, upon

proposal from DFIN and RISQ, validates the structural risk monitoring and management framework for the Group and its significant entities and reviews changes in such risks (limits and consumption). It periodically assesses the consumption of scarce resources. It reviews the financial panorama, ILAAP and ICAAP documents, ongoing issues regarding to ALM, Liquidity, the Preventive Recovery Plan, and the Corporate Centre budget and intra-Group re-invoicing. Lastly, it covers issues pertaining to the Group’s taxation (managed jointly by DFIN and SEGL); the Compliance Committee (COMCO) meets at least quarterly in p order to define defines the Group’s main guidelines and principles in terms of compliance; the Corporate Strategic Architecture Committee (CSAE) defines p the Company’s architecture from the standpoint of data and reference systems, operational processes and information systems, and ensures the consistency of the Group’s projects with the architecture set out; the Group Internal Control Coordination Committee (CCCIG) is p responsible for the overall architecture of the Group’s internal control system: for evaluating its efficiency, consistency and coprehensiveness, for taking corrective actions and for monitoring their implementation; the Responsible Commitments Committee (CORESP) deals with p topics related to the Group’s commitments and normative framework in CSR (including CSR sectoral policies), culture and conduct, or other topics that have an impact on the Group’s liability or reputation and not already covered by an existing Committee. Divisions in charge of risk monitoring The Group’s Corporate Divisions, which are independent from the core businesses, contribute to the management and internal control of risks. The Corporate Divisions provide the Group’s General Management with all the information needed to assume its role of managing Group strategy under the authority of the Chief Executive Officer. The Corporate Divisions report directly to General Management. The main role of the Risk Division is to support the development of p the Group’s activities and profitability by defining the Group’s risk appetite (allocated between the Group’s different business lines) in collaboration with the Finance Division and the Business and Service Units and establishing a risk management and monitoring system as a second line of defense. In performing its work, the Risk Division reconciles independence from the businesses with a close working relationship with the Businesses Units, which are responsible in the first instance for the transactions they initiate. Accordingly, the Risk Division: provides hierarchical and functional supervision for the Group’s - Risk function, is jointly responsible, with the Finance Division, for setting the - Group’s risk appetite as recommended to General Management; identifies all Group risks, - implements a governance and monitoring system for these risks, - including cross-business risks, and regularly reports on their nature and extent to General Management, the Board of Directors and the banking supervisory authorities,

23

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020